{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/intranda/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Goobi viewer"],"_cs_severities":["medium"],"_cs_tags":["solr","proxy","unauthenticated","CVE-2026-45083","critical"],"_cs_type":"advisory","_cs_vendors":["Intranda"],"content_html":"\u003cp\u003eThe Goobi viewer is vulnerable to an unauthenticated Solr streaming expression proxy issue. Specifically, the REST endpoint \u003ccode\u003ePOST /api/v1/index/stream\u003c/code\u003e was accepting arbitrary Solr streaming expressions from unauthenticated network clients and forwarding them to the backend Solr server without any restrictions. This vulnerability, present in versions 4.8.0 up to and including 26.04, allowed attackers to potentially read the entire Solr index and modify or delete indexed records. The vulnerability has been addressed by removing the affected API endpoint in commit 326980f24c. This vulnerability matters because it could lead to complete data loss or unauthorized disclosure of sensitive data. The CVE assigned to this vulnerability is CVE-2026-45083.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to \u003ccode\u003e/api/v1/index/stream\u003c/code\u003e on the Goobi viewer server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Solr streaming expression within the body of the POST request.\u003c/li\u003e\n\u003cli\u003eThe Goobi viewer forwards the attacker-supplied Solr streaming expression to the backend Solr server.\u003c/li\u003e\n\u003cli\u003eThe Solr server executes the streaming expression without proper authorization checks due to the exposed proxy endpoint.\u003c/li\u003e\n\u003cli\u003eUsing \u003ccode\u003eselect()\u003c/code\u003e the attacker reads the content of the Solr index, including documents protected by access conditions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eupdate()\u003c/code\u003e streaming expressions to overwrite indexed field values, potentially changing metadata or access conditions.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003edelete()\u003c/code\u003e streaming expressions to remove documents from the index.\u003c/li\u003e\n\u003cli\u003eIf delete is used, the attacker can wipe the entire collection, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could result in the complete disclosure of all documents indexed by the Goobi viewer, including those protected by access conditions. Attackers could also modify metadata, change access conditions, or corrupt the document structure. A single \u003ccode\u003edelete()\u003c/code\u003e expression can permanently remove documents, potentially leading to complete data loss and requiring a full re-index of the Solr collection. This vulnerability impacts organizations that rely on Goobi viewer to manage and serve sensitive documents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in commit \u003ca href=\"https://github.com/advisories/GHSA-2rgp-f66f-4499\"\u003e326980f24c\u003c/a\u003e to remove the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eAs an immediate workaround, block access to the \u003ccode\u003e/api/v1/index/stream\u003c/code\u003e endpoint using a reverse proxy or Tomcat configuration as detailed in the advisory to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goobi Viewer Solr Streaming Expression Attempt\u0026rdquo; to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:35:36Z","date_published":"2026-05-13T15:35:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-goobi-viewer-solr-proxy/","summary":"The Goobi viewer REST endpoint accepted an arbitrary Solr streaming expression from unauthenticated network clients, enabling attackers to read, modify, or delete the complete Solr index; this was resolved by removing the affected API endpoint.","title":"Goobi Viewer Unauthenticated Solr Streaming Expression Proxy Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-goobi-viewer-solr-proxy/"}],"language":"en","title":"CraftedSignal Threat Feed — Intranda","version":"https://jsonfeed.org/version/1.1"}