DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22022: Slash & Burn: Bypassing Apache Solr Authorization with a Single Character

#security #cve #cybersecurity

Slash & Burn: Bypassing Apache Solr Authorization with a Single Character

Vulnerability ID: CVE-2026-22022
CVSS Score: 8.2
Published: 2026-01-21

A critical logic flaw in Apache Solr's RuleBasedAuthorizationPlugin allows remote attackers to bypass access controls on administrative endpoints. By simply appending a trailing slash or manipulating path parameters, attackers can trick the authorization mechanism into failing open, granting access to sensitive configuration and security data.

TL;DR

Apache Solr versions 5.3.0 through 9.10.0 contain a 'fail-open' authorization vulnerability. If a deployment uses the RuleBasedAuthorizationPlugin without a catch-all all permission rule, attackers can bypass specific permission checks (like security-read) by appending a trailing slash to the request path. This exploits a normalization inconsistency where Solr fails to match the path to a permission, returns 'null', and subsequently allows the request.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-22022
  • CVSS v3.1: 8.2 (High)
  • CWE: CWE-285 (Improper Authorization)
  • Attack Vector: Network (API)
  • Exploit Complexity: Low
  • Privileges Required: None / Low (depending on network access)
  • Status: Patched

Affected Systems

  • Apache Solr 5.3.0
  • Apache Solr 6.x
  • Apache Solr 7.x
  • Apache Solr 8.x
  • Apache Solr 9.0.0 - 9.10.0
  • Apache Solr: >= 5.3.0, <= 9.10.0 (Fixed in: 9.10.1)

Code Analysis

Commit: c135e63

Fix for CVE-2026-22022: Normalize paths and throw exception on null permissions

PermissionNameProvider.Name permissionName = handler.getPermissionName(context);
+ if (permissionName == null) {
+   throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, ...);
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Manual modification of URL path parameters to append trailing slashes (e.g., ?path=/security.json/)

Mitigation Strategies

  • Upgrade to Apache Solr 9.10.1 or later.
  • Configure a 'default deny' rule in security.json.
  • Implement WAF rules to block trailing slashes on sensitive API paths.

Remediation Steps:

  1. Download Apache Solr 9.10.1.
  2. Back up existing security.json and schema configurations.
  3. Stop the Solr service.
  4. Replace the binaries with the patched version.
  5. Restart Solr and verify administrative endpoints return 403 Forbidden for unprivileged users, even with trailing slashes appended.

References

Read the full report for CVE-2026-22022 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)