Security
Reporting Procedure
CVE Status for Dependencies

Solr Security

Report a New Vulnerability

The Solr PMC greatly appreciates responsible disclosure of new security vulnerabilities found in Solr itself or demonstrating exploitation via a dependency. It is important not to publish a previously unknown exploit, or exploit demonstration code, on public mailing lists or issue trackers before coordinating with the PMC.

See the vulnerability reporting procedure for the full reporting rules, the workflow diagram, and what to expect after you report.

CVEs in Dependencies Detected by Scanners

Every CVE detected by a scanner is by definition already public knowledge. Before contacting the security team about a dependency CVE, please:

  1. Check the dependency CVE status page to see if the CVE has already been assessed as not exploitable in Solr.
  2. Search the Solr users mailing list archive to see if the CVE has been discussed.
  3. If nothing is found, subscribe to the users list and ask there.

Dos and Don'ts

  • DO discuss dependency upgrade needs on the users mailing list
  • DO search Jira for the CVE number before opening a new issue
  • DO open a focused Jira issue with a PR to upgrade a single specific dependency
  • DO look into automating CVE triage with VEX and share your experience
  • DO NOT email the security address with scanner reports — they will not be processed
  • DO NOT paste scan output into Jira or attach reports — link the CVE instead

Use of Jira

Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored or closed. The large number of reports about already-known issues is a serious drag on our volunteer time — please search Jira before opening a new issue.

Recent CVE Disclosures for Apache Solr

The five most recent security advisories.

CVE# Date Announcement
CVE-2026-22022 2026-01-20 Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin
CVE-2026-22444 2026-01-20 Insufficient file-access checking in standalone core-creation requests
CVE-2025-66516 2025-12-09 Apache Solr extraction module vulnerable to XXE attacks via XFA content in PDFs
CVE-2024-52012 2025-01-26 Apache Solr: Configset upload on Windows allows arbitrary path write-access
CVE-2025-24814 2025-01-26 Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files

See full security news history →

More Information