CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Severity: moderate Affected versions: Apache Solr 8.6 through 9.10.0 Description The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting. This can allow users to create cores using unexpected configsets if they are accessible via the filesystem. On Windows systems configured to allow UNC paths, this can additionally cause disclosure of NTLM "user" hashes. Affected Deployments Solr is running in its "standalone" mode. Solr's "allowPath" setting is being used to restrict file access to certain directories. Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Mitigation Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. Issue Tracking This issue is being tracked as SOLR-18058 Credit Damon Toey (finder) References https://solr.apache.org https://www.cve.org/CVERecord?id=CVE-2026-22444 https://issues.apache.org/jira/browse/SOLR-18058