Goobi viewer CVE-2026-45083
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.
The API endpoint has now been removed.
Impact
- Complete Solr index read without authentication.
All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.
- Index data modification.
update() streaming expressions overwrite indexed field values. An attacker can alter metadata, change ACCESSCONDITION values, or corrupt document structure.
- Index data deletion.
delete() streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.
Patches
The endpoint was removed in 326980f24c
Workarounds
Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.
For Apache httpd the following block can be used in the vhost configuration:
<LocationMatch ^.*api/v[12]/index/stream.*$>
Require all denied
</LocationMatch>Alternatively the following security constraint can be added in tomcat via the relevant web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>blocked endpoint</web-resource-name>
<url-pattern>/api/v1/index/stream</url-pattern>
<url-pattern>/api/v1/index/stream/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>References
- Fix commit: 326980f24c
- Introducing commit: 6bfb1cbd42
- Solr Streaming Expressions reference
Contact
If you have any questions or comments about this advisory:
- Email us at [support@intranda.com](mailto:support@intranda.com)
AnalysisAI
Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote attackers to fully read, modify, or delete the backend Solr index by posting arbitrary expressions to the /api/v1/index/stream endpoint. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable with CVSS 9.8 and bypasses access-condition protections such as moving walls and licence restrictions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Goobi viewer Core application (versions 4.8.0 through 26.04) must be deployed with the `/api/v1/index/stream` REST endpoint network-reachable to the attacker - which is its default state, requiring no authentication, no user interaction, and no special configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is consistent with the description - a single unauthenticated HTTP POST yields full read, write, and delete on the Solr index, including documents otherwise protected by ACCESSCONDITION restrictions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-reachable Goobi viewer instance (commonly hosted by libraries and digital archives) and sends an unauthenticated `POST /api/v1/index/stream` request with body `search(collection,q="*:*", fl="*", sort="PI asc", qt="/select")` to exfiltrate every indexed document including those normally gated by moving-wall or licence ACCESSCONDITION values. The same vector with a `delete(collection, search(...))` or `update(...)` expression lets the attacker wipe or tamper with the index on default Solr deployments, forcing a multi-hour re-index to recover. |
| Remediation | Vendor-released patch: upgrade Goobi viewer Core to v26.04.1 or later (https://github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1), which removes the `/api/v1/index/stream` endpoint and the `solr-solrj-streaming` dependency per fix commit 326980f24ce1e7cfabf658dd5f615934ca68ebbd. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Goobi viewer instances running versions 4.8.0-26.04; restrict network access to the /api/v1/index/stream endpoint if internet-facing. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0
ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2rgp-f66f-4499