GHSA-2RGP-F66F-4499

Vulnerability from github – Published: 2026-05-13 15:33 – Updated: 2026-05-13 15:33
VLAI
Summary
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
Details

Summary

The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.

The API endpoint has now been removed.

Impact

  • Complete Solr index read without authentication. All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.

  • Index data modification. update() streaming expressions overwrite indexed field values. An attacker can alter metadata, change ACCESSCONDITION values, or corrupt document structure.

  • Index data deletion. delete() streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.

Patches

The endpoint was removed in 326980f24c

Workarounds

Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.

For Apache httpd the following block can be used in the vhost configuration:

<LocationMatch ^.*api/v[12]/index/stream.*$>
    Require all denied
</LocationMatch>

Alternatively the following security constraint can be added in tomcat via the relevant web.xml:

<security-constraint>
      <web-resource-collection>
        <web-resource-name>blocked endpoint</web-resource-name>
        <url-pattern>/api/v1/index/stream</url-pattern>
        <url-pattern>/api/v1/index/stream/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>
</security-constraint>

References

Contact

If you have any questions or comments about this advisory:

Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.goobi.viewer:viewer-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "last_affected": "26.04"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:33:24Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe Goobi viewer REST endpoint `POST /api/v1/index/stream` accepted an arbitrary Solr streaming\nexpression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.\nAn attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.\n\nThe API endpoint has now been removed.\n\n### Impact\n\n- **Complete Solr index read without authentication.**\n  All documents indexed by the viewer  including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.\n\n- **Index data modification.**\n  `update()` streaming expressions overwrite indexed field values. An attacker can alter metadata, change `ACCESSCONDITION` values, or corrupt document structure.\n\n- **Index data deletion.**\n  `delete()` streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.\n\n### Patches\n\nThe endpoint was removed in 326980f24c\n\n### Workarounds\n\nUntil an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.\n\nFor Apache httpd the following block can be used in the vhost configuration:\n\n```\n\u003cLocationMatch ^.*api/v[12]/index/stream.*$\u003e\n    Require all denied\n\u003c/LocationMatch\u003e\n```\n\nAlternatively the following security constraint can be added in tomcat via the relevant web.xml:\n```\n\u003csecurity-constraint\u003e\n      \u003cweb-resource-collection\u003e\n        \u003cweb-resource-name\u003eblocked endpoint\u003c/web-resource-name\u003e\n        \u003curl-pattern\u003e/api/v1/index/stream\u003c/url-pattern\u003e\n        \u003curl-pattern\u003e/api/v1/index/stream/*\u003c/url-pattern\u003e\n      \u003c/web-resource-collection\u003e\n      \u003cauth-constraint/\u003e\n\u003c/security-constraint\u003e\n```\n\n### References\n\n- Fix commit: 326980f24c\n- Introducing commit: 6bfb1cbd42\n- [Solr Streaming Expressions reference](https://solr.apache.org/guide/solr/latest/query-guide/streaming-expressions.html)\n\n\n### Contact\n\nIf you have any questions or comments about this advisory:\n\n- Email us at [support@intranda.com](mailto:support@intranda.com)",
  "id": "GHSA-2rgp-f66f-4499",
  "modified": "2026-05-13T15:33:24Z",
  "published": "2026-05-13T15:33:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/intranda/goobi-viewer-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.