Apache Solr: Authentication bypass possible using a fake URL Path ending
Description
Improper Authentication vulnerability in Apache Solr.
Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.
This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.
Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-45216 is an authentication bypass in Apache Solr's PKIAuthenticationPlugin via a fake URL path ending, allowing unauthenticated access to protected APIs.
Vulnerability
Details
CVE-2024-45216 is an improper authentication vulnerability in Apache Solr's PKIAuthenticationPlugin, which is enabled by default when Solr authentication is configured [1][3]. The plugin incorrectly handles URL paths: appending a fake ending (e.g., :/admin/info/key) to any Solr API URL allows requests to skip authentication while maintaining the original API contract. The fake ending is stripped internally after authentication but before API routing, bypassing access controls [2][4].
Exploitation
An attacker can exploit this by crafting a request to a protected API endpoint and appending the special fake path ending. No authentication credentials are required to access the API, as the PKIAuthenticationPlugin fails to validate the request properly. The attack is performed over HTTP, and no special network position is needed if the Solr instance is exposed [2][4].
Impact
Successful exploitation allows an unauthenticated attacker to access any Solr API endpoint that is normally protected by authentication. This could lead to information disclosure, including sensitive configuration details (e.g., using /admin/info/properties or /admin/info/key), and potentially further compromise of the Solr instance [4]. The CVSS 4.0 severity rating is critical (9.3), reflecting the ease of exploitation and potential impact [1].
Mitigation
Apache Solr has released fixed versions 8.11.4 and 9.7.0, which correct the URL path handling in PKIAuthenticationPlugin [1][3]. Users are strongly recommended to upgrade immediately. There are no known workarounds; the only mitigation is to apply the patch or upgrade to a non-vulnerable version [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.solr:solrMaven | >= 5.3.0, < 8.11.4 | 8.11.4 |
org.apache.solr:solrMaven | >= 9.0.0, < 9.7.0 | 9.7.0 |
Affected products
3- osv-coords2 versions
>= 5.3.0, < 8.11.4+ 1 more
- (no CPE)range: >= 5.3.0, < 8.11.4
- (no CPE)range: >= 5.3.0, < 8.11.4
- Apache Software Foundation/Apache Solrv5Range: 5.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-mjvf-4h88-6xm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45216ghsaADVISORY
- solr.apache.org/security.htmlghsavendor-advisoryWEB
- svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/webappghsaPACKAGE
- www.openwall.com/lists/oss-security/2024/10/15/8ghsaWEB
- issues.apache.org/jira/browse/SOLR-17417ghsaWEB
News mentions
0No linked articles in our index yet.