This module checks for and exploits CVE-2026-44825, a hardcoded credentials exposure in the Apache Solr AuthTool BasicAuth configuration workflow. The vulnerability occurs when an Apache SolrCloud deployment is initialized with bin/solr auth enable. During that process, AuthTool loads the bundled security.json template and adds the administrator-supplied user, but it may leave template users such as superadmin, admin, index, and search enabled. In affected installations, those users keep trivial passwords equal to their usernames. In affected installations, those users keep trivial passwords equal to their usernames (superadmin, admin, index, search). As a result, a remote attacker who can reach the Solr HTTP interface may authenticate with predictable credentials and access protected administrative endpoints. If the template accounts have high-impact permissions, the attacker may also be able to modify authentication or authorization settings, create users, or assign roles. Steps: Fingerprint the target by querying Apache Solr administrative endpoints and checking for Solr, BasicAuth, SolrCloud, and version indicators. Attempt the known template credentials superadmin:superadmin, admin:admin, index:index, and search:search against read-only administrative endpoints. If any template credential is accepted, mark the target as vulnerable and register CVE-2026-44825. Retrieve authorization data with the accepted credential and report the effective roles and permissions, including high-impact permissions such as security-edit, config-edit, core-admin-edit, and collection-admin-edit. A malicious attacker with this account may access indexed data stored in Solr and, depending on the assigned roles, create or modify Solr users and roles, change security settings, or alter core and collection configuration. If CREATE USER parameters are provided, use the valid template credential to create or update a proof user through /admin/authentication. Assign the proof user the template roles through /admin/authorization to demonstrate security configuration impact. Verify that the proof user can authenticate successfully and store the created credentials in Identity as exploitation evidence.
CVE Link
Exploit Type
Product Name