{"id":"CVE-2026-22022","details":"Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability:\n\n  *  Use of Solr's \"RuleBasedAuthorizationPlugin\"\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\n  *  A RuleBasedAuthorizationPlugin permission list that doesn't define the \"all\" pre-defined permission\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\n\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.","aliases":["BIT-solr-2026-22022","GHSA-qr3p-2xj2-q7hq"],"modified":"2026-04-12T20:21:38.261965Z","published":"2026-01-21T14:16:06.573Z","related":["CGA-v884-63cq-g6p8"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/01/20/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/solr","events":[{"introduced":"cb922f860e8f7522287b55ea4bcd1059219bc1b3"},{"fixed":"c135e6335c7158fa26e96b0dc386f825255b47c0"}],"database_specific":{"versions":[{"introduced":"5.3.0"},{"fixed":"9.10.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22022.json","vanir_signatures_modified":"2026-04-12T20:21:38Z","vanir_signatures":[{"signature_version":"v1","id":"CVE-2026-22022-080149c3","digest":{"line_hashes":["120351066446823816478796849004261422818","240096633457384710817831422835243155014","38407301923442668321566180519037740960","70887022760867387724935329588019576026","179764876838053657294407215034930486763","147010765790336563100542354187234898306","235195966746351378923427209707493487952","252738467133413507932928310686382280740","125498264179157591138267264563231953791","274556390625100524067649328904052755074","105724591352013391946343718295551276907"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/SchemaHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-0c32e4e6","digest":{"line_hashes":["213816450732649115831861879533981273321","163193992802835521350643549808705414096","279118738397569944925485559297762383710","292160663259868763816534406745559155717","292886144000345370672917144520777225418","212218239995638886601205653734497122566","115623506190209366829014816956538412072","224564576758229972759187356840065482736","217331465601713269584028593832134385524","89782819908593946504040573337181962855","42860695080087217257410980168474507559","107838308683085978204004722138780091915","79058199511659309388233803781513898946","111432781214598984776824816440695734017"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPluginBase.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-0d1b1c1f","digest":{"length":823,"function_hash":"32925405534186697611758232727948623468"},"deprecated":false,"target":{"function":"handleRequestBody","file":"solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-1807e42d","digest":{"line_hashes":["314801486394218332716187729587448876463","297668234085621649269638207073739227034","26281571418882802927218490246317570896","205376203250744969032773389049148311459","283448128921637611284629852895021185453","328300450744435674427303806605054338610","126769086198631888730044546654791673343","151361157194820677335377167858870518441","196983403002202730118792808163427749455","270709262109556431487133335638324708502","231172665077771227225530430677086623289","143827515772777178233896868672522835173","39774938605117814597467235289023746573","123918541420775112442862666052329074535","271722009058798431788998140996009881917"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-2383ef3c","digest":{"line_hashes":["184580313771887693335343806361893098191","114232322428923849323544561933002927043","30584587213142902972153208626010345669","43693651672511506419582617180681485734"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/InfoHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-24965513","digest":{"length":218,"function_hash":"309815762935292469119908422789899307526"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/SchemaHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-3f238353","digest":{"length":763,"function_hash":"198955079849774671245214682800515656826"},"deprecated":false,"target":{"function":"predefinedPermissionAppliesToRequest","file":"solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPluginBase.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-41a805d0","digest":{"length":3364,"function_hash":"192251288855912286863646833069882127951"},"deprecated":false,"target":{"function":"init","file":"solr/core/src/java/org/apache/solr/api/V2HttpCall.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-52fb444d","digest":{"length":491,"function_hash":"243056432508320266151977870548656376306"},"deprecated":false,"target":{"function":"HttpSolrCall","file":"solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-5b865d58","digest":{"length":372,"function_hash":"82786319854879818071137322427327792859"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-6be6609b","digest":{"line_hashes":["318557942750693441999088965693350408448","89960675082884901922971492094076631557","262092700101760725112401888166373233301","334782200771506371045421436203045874610","131546795612910344415808924453403828385","221912604077071235305348779528085248181","89567214609396714330781788893967812849","284614647882360805072877494404776484119"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/api/V2HttpCall.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-7696d9b0","digest":{"line_hashes":["58079458214666953562059678735478141157","240096633457384710817831422835243155014","38407301923442668321566180519037740960","70887022760867387724935329588019576026","179764876838053657294407215034930486763","260152357607745243888842854418287848754","86961638886321900848155678858025933347","252738467133413507932928310686382280740","302947476867847430838349182753615611583"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-948e0f90","digest":{"length":969,"function_hash":"187430033858308537579957157295996246614"},"deprecated":false,"target":{"function":"handleRequestBody","file":"solr/core/src/java/org/apache/solr/handler/SchemaHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-9673dd58","digest":{"line_hashes":["268011071793190307035707587271849564271","220884027888050459794073188008898298494","67285741456772442012070940876174401461"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-9b2dfa87","digest":{"length":193,"function_hash":"293080062925405529498466231476761499269"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/admin/SecurityConfHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-ad906785","digest":{"line_hashes":["150813839389802449390950779385082769168","157794120277178151238190850924822186718","314736040055257015328658767592783323746","74116944502192974550916330399986272055","100520713306865751721762720970362402368","118794164569753631862788791376220138110","221156805908894640553280895674511800568","143789150691660144250348740337673456259","46293612379576255285533091099265037937","108049300500548630487952472209689740132","106565269668895078264801588273834550237","204853156103783033210753635899650237082","50185046149780929867426153052567393208","253377974398886683499594306020509175379","227591688282585696639089661864366244677","206431445711209699518597590513933735912","50185046149780929867426153052567393208","91721883678795952664516638675545785829","137957176553714511067886981903703329252","4685551427119535434065476578473383278","137764885550340150603133934097966614117","270858092755672118626541746230037820837","24047165802911169747952491494324947778","245056690808061670376731011290420441844","198225703671653806079590215890600246031","103515158874399903575503905129021947114","98286586969809525074700928560639018412","210068617637129298119821977885415841024","195650629001091535143767240297304192978"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-ae980129","digest":{"line_hashes":["268561176960722250138687528000324643692","67774571265588972589539497833261280251","189415833787220364941020379284641578567","194557142506412884006270997149839987165","84419659714445746731018964436727399059","162864881589519443502030191436134728087","252738467133413507932928310686382280740","111106639122235668039694155904913124616"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/SecurityConfHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-d82e9e6e","digest":{"length":289,"function_hash":"213238151330680154814911143903409297264"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-d97ed861","digest":{"length":189,"function_hash":"66091817643857218543813963995517282094"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-df9c6529","digest":{"length":2278,"function_hash":"111282808569295236401628538870253350022"},"deprecated":false,"target":{"function":"init","file":"solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-ec2023d6","digest":{"line_hashes":["226306296248802359310220247995995277013","121496908389995506677154849858255989362","107621676927053957725034464286008436807","228164321359792569823207322297444593680"],"threshold":0.9},"deprecated":false,"target":{"file":"solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Line"},{"signature_version":"v1","id":"CVE-2026-22022-fd16b4b2","digest":{"length":317,"function_hash":"120437475613747371534359341551457016583"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"},{"signature_version":"v1","id":"CVE-2026-22022-ffb0da62","digest":{"length":280,"function_hash":"180201855755994066701040275748131575002"},"deprecated":false,"target":{"function":"getPermissionName","file":"solr/core/src/java/org/apache/solr/handler/admin/InfoHandler.java"},"source":"https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}