CVE-2026-22444

CWE-20 — Improper Input Validation8 documents7 sources

Severity

7.1HIGH

EPSS

0.0%

top 91.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Solr Apache Software Foundation Apache Solr

Timeline

PublishedJan 21

Description

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the files…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶Mavenorg.apache.solr:solr-core8.6.0 — 9.10.1

▶NVDapache/solr8.6.0 — 9.10.1

▶CVEListV5apache_software_foundation/apache_solr8.6 — 9.10.0

🔴Vulnerability Details

GHSA

Apache Solr: Insufficient file-access checking in standalone core-creation requests↗2026-01-21

▶

OSV

Apache Solr: Insufficient file-access checking in standalone core-creation requests↗2026-01-21

▶

CVEList

Apache Solr: Insufficient file-access checking in standalone core-creation requests↗2026-01-21

▶

OSV

CVE-2026-22444: The "create core" API of Apache Solr 8↗2026-01-21

▶

📋Vendor Advisories

Red Hat

org.apache.solr/solr-core: Apache Solr: Insufficient file-access checking in standalone core-creation requests↗2026-01-21

▶

Debian

CVE-2026-22444: lucene-solr - The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input v...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22444 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶