A hardcoded credentials vulnerability in Apache Solr, tracked as CVE-2026-44825, causes the Basic Authentication setup tool to silently install additional administrator accounts with publicly known default credentials alongside user-specified accounts. The vulnerability affects Apache Solr versions 9.4.0 through 10.0.0 and carries a CVSS score of 8.1. Any organisation that has used the Basic Authentication setup tool on a production Solr instance should immediately check for and remove the template accounts.
What Is the Vulnerability?
CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr’s Basic Authentication setup tool (bin/solr auth enable). When an administrator uses this tool to configure authentication for their Solr cluster, the tool creates the user-specified administrative account — but also silently installs additional template user accounts with hardcoded, publicly known default passwords. These template accounts — named superadmin, admin, solr, and readonly — are created without any notification to the administrator and carry full administrative privileges or read access as their names suggest.
The practical impact is that any remote attacker who discovers a Solr instance with Basic Authentication enabled can attempt to authenticate using these known template account credentials. If successful — and the credentials are publicly documented — the attacker gains full administrative access to the Solr cluster, including the ability to read, modify, and delete all indexed data, reconfigure the cluster, and potentially execute arbitrary code through Solr’s configuration and plugin mechanisms.
The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials):
- CVSS v3.1 Score: 8.1 (High)
- Attack Vector: Network (AV:N)
- Attack Complexity: High (AC:H) — requires Basic Authentication to be enabled
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)
Which Versions Are Affected?
The vulnerability affects Apache Solr versions where the Basic Authentication setup tool includes the silent template account creation:
- Apache Solr 9.4.0 through 9.10.1 (inclusive)
- Apache Solr 10.0.0
Versions prior to 9.4.0 (where the Basic Authentication tool was introduced) and versions beyond 9.10.1 / 10.0.0 (where the fix has been applied) are not affected. Apache Solr is widely deployed as the search backend for e-commerce platforms, content management systems, enterprise data lakes, log analytics pipelines, and site search functionality across thousands of organisations.
Is It Being Exploited in the Wild?
No large-scale exploitation has been publicly confirmed at the time of writing. However, the nature of this vulnerability — publicly known hardcoded credentials — means that exploitation requires no technical sophistication. An attacker simply needs to discover an internet-facing Solr instance with Basic Authentication enabled and attempt to log in using the documented template account credentials. Automated scanning for exposed Solr instances is trivial, and the attack is effectively a credential-stuffing exercise using known defaults. Organisations should assume that opportunistic scanning and exploitation is occurring and should remediate immediately.
What Is the Fix?
Apache has addressed CVE-2026-44825 in updated Solr releases. The official security advisory is available at:
https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch
Organisations can remediate in one of two ways:
- Upgrade: Update Apache Solr to a version beyond 9.10.1 or 10.0.0 that includes the fix
- Immediate workaround: Delete the template user accounts. Authenticate to your Solr instance and remove the following users if present:
superadmin,admin,solr, andreadonly. This eliminates the vulnerability without requiring a version upgrade.
Recommendations
Check every Solr instance today. The workaround is simple — delete four user accounts — but you need to check every Solr instance where Basic Authentication was configured. The template accounts were installed silently, so many administrators will be unaware they exist. Authenticate to each Solr instance and review the user list for the template account names.
Audit Solr access logs for template account usage. Review authentication logs for successful logins using the superadmin, admin, solr, or readonly account names. Any login by these accounts — particularly from unrecognised IP addresses — should be treated as a potential security incident. Investigate what actions were performed during those sessions.
Rotate all Solr credentials after remediation. If the template accounts were present on your instance and you cannot confirm that they were never used by an attacker, rotate all legitimate Solr user credentials after deleting the template accounts. This ensures that even if an attacker had previously authenticated and extracted additional credentials, those credentials are invalidated.
Review indexed data for unauthorised access or modification. If exploitation is suspected, audit the Solr indexes for unexpected data modifications, deletions, or configuration changes. Check Solr configuration files for unexpected changes to request handlers, search components, or plugin configurations that could indicate an attacker establishing persistence.
Do not expose Solr directly to the internet. Solr is an enterprise search platform, not a public-facing web application. It should be deployed behind a reverse proxy or application layer with proper authentication, and should never be directly accessible from the internet. The hardcoded credentials vulnerability is one of many reasons to ensure Solr is properly segmented.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.
