CVE-2026-22022

CWE-2858 documents7 sources
Severity
8.2HIGH
EPSS
0.2%
top 59.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SolrApache Software Foundation Apache Solr
Timeline
PublishedJan 21

Description

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

NVDapache/solr5.3.09.10.1
Mavenorg.apache.solr:solr-core5.3.09.10.1
CVEListV5apache_software_foundation/apache_solr5.39.10.0

🔴Vulnerability Details

4
CVEList
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin2026-01-21
OSV
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin2026-01-21
OSV
CVE-2026-22022: Deployments of Apache Solr 52026-01-21
GHSA
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin2026-01-21

📋Vendor Advisories

2
Red Hat
org.apache.solr/solr-core: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin2026-01-21
Debian
CVE-2026-22022: lucene-solr - Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-22022 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-22022 (HIGH CVSS 8.2) | Deployments of Apache Solr 5.3.0 th | cvebase.io