Skip to main content

Goobi viewer CVE-2026-45083

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-13 https://github.com/intranda/goobi-viewer-core GHSA-2rgp-f66f-4499
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 08:33 vuln.today
Analysis Generated
Jun 08, 2026 - 08:33 vuln.today
CVE Published
May 13, 2026 - 15:33 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.

The API endpoint has now been removed.

Impact

  • Complete Solr index read without authentication.

All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.

  • Index data modification.

update() streaming expressions overwrite indexed field values. An attacker can alter metadata, change ACCESSCONDITION values, or corrupt document structure.

  • Index data deletion.

delete() streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.

Patches

The endpoint was removed in 326980f24c

Workarounds

Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.

For Apache httpd the following block can be used in the vhost configuration:

<LocationMatch ^.*api/v[12]/index/stream.*$>
    Require all denied
</LocationMatch>

Alternatively the following security constraint can be added in tomcat via the relevant web.xml:

<security-constraint>
      <web-resource-collection>
        <web-resource-name>blocked endpoint</web-resource-name>
        <url-pattern>/api/v1/index/stream</url-pattern>
        <url-pattern>/api/v1/index/stream/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>
</security-constraint>

References

Contact

If you have any questions or comments about this advisory:

  • Email us at [support@intranda.com](mailto:support@intranda.com)

AnalysisAI

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote attackers to fully read, modify, or delete the backend Solr index by posting arbitrary expressions to the /api/v1/index/stream endpoint. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable with CVSS 9.8 and bypasses access-condition protections such as moving walls and licence restrictions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover internet-exposed Goobi viewer
Delivery
POST crafted streaming expression to /api/v1/index/stream
Exploit
Solr executes expression unrestricted
Execution
Exfiltrate access-restricted documents
Persist
Issue update()/delete() to tamper or wipe index
Impact
Force operator re-index to recover

Vulnerability AssessmentAI

Exploitation The Goobi viewer Core application (versions 4.8.0 through 26.04) must be deployed with the `/api/v1/index/stream` REST endpoint network-reachable to the attacker - which is its default state, requiring no authentication, no user interaction, and no special configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is consistent with the description - a single unauthenticated HTTP POST yields full read, write, and delete on the Solr index, including documents otherwise protected by ACCESSCONDITION restrictions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-reachable Goobi viewer instance (commonly hosted by libraries and digital archives) and sends an unauthenticated `POST /api/v1/index/stream` request with body `search(collection,q="*:*", fl="*", sort="PI asc", qt="/select")` to exfiltrate every indexed document including those normally gated by moving-wall or licence ACCESSCONDITION values. The same vector with a `delete(collection, search(...))` or `update(...)` expression lets the attacker wipe or tamper with the index on default Solr deployments, forcing a multi-hour re-index to recover.
Remediation Vendor-released patch: upgrade Goobi viewer Core to v26.04.1 or later (https://github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1), which removes the `/api/v1/index/stream` endpoint and the `solr-solrj-streaming` dependency per fix commit 326980f24ce1e7cfabf658dd5f615934ca68ebbd. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Goobi viewer instances running versions 4.8.0-26.04; restrict network access to the /api/v1/index/stream endpoint if internet-facing. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33439 CRITICAL POC
9.3 Apr 07

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi

CVE-2016-20026 CRITICAL POC
9.3 Mar 15

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau

CVE-2026-29146 HIGH POC
7.5 Apr 09

Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7

CVE-2026-34486 HIGH POC
7.5 Apr 09

Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t

CVE-2025-55752 HIGH POC
7.5 Oct 27

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-11165 CRITICAL
9.9 Feb 24

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.

CVE-2025-31651 CRITICAL
9.8 Apr 28

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C

CVE-2026-43512 CRITICAL
9.8 May 12

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap

CVE-2026-41293 CRITICAL
9.8 May 12

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0

CVE-2025-55754 CRITICAL
9.6 Oct 27

ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks

Share

CVE-2026-45083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy