Apache Solr BasicAuth Tool Exposes Clusters Through Hardcoded Default Users
Apache disclosed CVE-2026-44825, a high-severity flaw in Apache Solr’s Basic Authentication bootstrap process that can leave clusters open to full remote administrative takeover. In affected versions, running the BasicAuth setup command
bin/solr auth enable
silently creates additional template accounts with publicly known default credentials alongside the administrator account chosen by the operator.
The issue affects Solr 9.4.0 through 9.10.1 and 10.0.0 and is tracked as SOLR-18233. Apache said deployments are at risk if they used the CLI to enable BasicAuth and left the template users unchanged; the exposed accounts include superadmin, admin, search, and index in security.json. As an immediate mitigation, administrators should remove those users or assign strong passwords, while fixes are expected in 9.11.0 and 10.1.0. The vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-44825 in Apache Solr
Apache disclosed CVE-2026-44825, a high-severity hardcoded-credentials vulnerability in Apache Solr's Basic Authentication setup tool. The issue affects Solr 9.4.0 through 9.10.1 and 10.0.0 when `bin/solr auth enable` creates additional template users with publicly known credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Apache Solr Default Credentials: CVE-2026-44825 Fix
securityonline.info
Open sourceCVE-2026-44825: Apache Solr Hardcoded Credentials | Horizon3.ai
horizon3.ai
Open sourceCVE-2026-44825 - Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
cvefeed.io
Open sourceoss-security - CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
openwall.com
Open sourceoss-sec: CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
seclists.org
Open sourceCVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users-Apache Mail Archives
lists.apache.org
Open source[SOLR-18233] CVE-2026-44825 SolrCloud bin/solr hardcoded credentials - ASF Jira
issues.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hard-coded Credentials Vulnerability in Sunbird DCIM dcTrack and Power IQ
A critical vulnerability, tracked as CVE-2025-66237, has been identified in Sunbird's DCIM dcTrack and Power IQ platforms. The flaw involves the use of default and hard-coded credentials, which could allow an attacker to gain administrative access to the database, escalate privileges, or execute system commands on the host. The vulnerability affects DCIM dcTrack and Power IQ versions 9.2.0 and prior, and has been assigned a CVSS v4 base score of 8.4, indicating high severity. According to CISA, successful exploitation of this vulnerability could enable unauthorized access or credential theft. The advisory highlights that an attacker leveraging these hard-coded credentials could compromise the integrity and security of the affected systems, potentially leading to broader network exposure. Organizations using impacted Sunbird products are urged to review mitigation guidance and update their systems to address this critical security risk.
Mar 21, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026
Apache Camel K Authorization Bypass Enables Cross-Namespace Build Attacks
Apache disclosed **CVE-2026-45760**, an important-severity vulnerability in **Apache Camel K** that allows an authenticated user in one Kubernetes namespace to create a malicious `Build` resource that influences pod generation in another namespace. The flaw stems from an authorization bypass tied to a user-controlled key and an externally controlled reference to a resource in another sphere, enabling a cross-namespace **Build Deputy** attack that can reach even the operator namespace and weaken namespace isolation in multi-tenant clusters. The issue affects Apache Camel K versions **2.0.0 through before 2.8.1**, **2.9.0 through before 2.9.2**, and **2.10.0 through before 2.10.1**. Apache released fixes in **2.8.1**, **2.9.2**, and **2.10.1**, and urged administrators to upgrade immediately because successful exploitation could open a path to broader Kubernetes cluster compromise. The vulnerability was reported by **@j311yl0v3u** and **@b0b0haha**.
May 24, 2026