Goobi Viewer Unauthenticated Solr Streaming Expression Proxy Vulnerability

The Goobi viewer is vulnerable to an unauthenticated Solr streaming expression proxy issue. Specifically, the REST endpoint POST /api/v1/index/stream was accepting arbitrary Solr streaming expressions from unauthenticated network clients and forwarding them to the backend Solr server without any restrictions. This vulnerability, present in versions 4.8.0 up to and including 26.04, allowed attackers to potentially read the entire Solr index and modify or delete indexed records. The vulnerability has been addressed by removing the affected API endpoint in commit 326980f24c. This vulnerability matters because it could lead to complete data loss or unauthorized disclosure of sensitive data. The CVE assigned to this vulnerability is CVE-2026-45083.

Attack Chain

1. An unauthenticated attacker sends a POST request to /api/v1/index/stream on the Goobi viewer server.
2. The attacker crafts a malicious Solr streaming expression within the body of the POST request.
3. The Goobi viewer forwards the attacker-supplied Solr streaming expression to the backend Solr server.
4. The Solr server executes the streaming expression without proper authorization checks due to the exposed proxy endpoint.
5. Using select() the attacker reads the content of the Solr index, including documents protected by access conditions.
6. The attacker uses update() streaming expressions to overwrite indexed field values, potentially changing metadata or access conditions.
7. Alternatively, the attacker uses delete() streaming expressions to remove documents from the index.
8. If delete is used, the attacker can wipe the entire collection, leading to a denial of service.

Impact

Successful exploitation of this vulnerability could result in the complete disclosure of all documents indexed by the Goobi viewer, including those protected by access conditions. Attackers could also modify metadata, change access conditions, or corrupt the document structure. A single delete() expression can permanently remove documents, potentially leading to complete data loss and requiring a full re-index of the Solr collection. This vulnerability impacts organizations that rely on Goobi viewer to manage and serve sensitive documents.

Recommendation

• Apply the patch provided in commit 326980f24c to remove the vulnerable endpoint.
• As an immediate workaround, block access to the /api/v1/index/stream endpoint using a reverse proxy or Tomcat configuration as detailed in the advisory to prevent exploitation.
• Deploy the Sigma rule “Detect Goobi Viewer Solr Streaming Expression Attempt” to identify potential exploitation attempts targeting the vulnerable endpoint.