Arbitrary Solr Streaming Expression Vulnerability in Goobi Viewer by Intranda
CVE-2026-45083

9.8CRITICAL

Key Information:

Vendor

Intranda

Status
Goobi-viewer-core
Vendor
CVE Published:
27 May 2026

What is CVE-2026-45083?

The Goobi Viewer, a web application for displaying digitized materials, has a serious vulnerability related to its REST endpoint. Versions from 4.8.0 up to but not including 26.04.1 are affected. Specifically, the POST /api/v1/index/stream endpoint accepted arbitrary Solr streaming expressions from unauthenticated users, allowing attackers to access the entire Solr index. Furthermore, in default Solr setups, the vulnerability enables attackers to potentially modify or delete indexed records. This poses a significant risk to data integrity and confidentiality. The issue has been addressed in version 26.04.1 as confirmed through recent security advisories.

Affected Version(s)

goobi-viewer-core >= 4.8.0, < 26.04.1

References

https://github.com/intranda/goobi-viewer-core/security/ad...
x_refsource_CONFIRM
https://github.com/intranda/goobi-viewer-core/commit/3269...
x_refsource_MISC
https://github.com/intranda/goobi-viewer-core/commit/6bfb...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.