Skip to main content

Apache Lucene.Net CVE-2026-47896

| EUVDEUVD-2026-41519 HIGH
Path Traversal (CWE-22)
8.9
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
vuln.today AI
8.6 MEDIUM

Unauthenticated network read (PR:N/AV:N/AC:L) disclosing files outside the index directory gives S:C and C:H, with no integrity or availability impact (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jul 03, 2026 - 10:01 EUVD
Analysis Updated
Jul 03, 2026 - 09:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 03, 2026 - 09:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 03, 2026 - 09:22 vuln.today
cvss_changed
CVSS changed
Jul 03, 2026 - 09:22 NVD
8.9 (HIGH)
Analysis Generated
Jul 03, 2026 - 02:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed Lucene.Net replication endpoint
Delivery
Send request with '../' traversal in file path
Exploit
Service resolves path outside index dir
Execution
Read arbitrary server files
Impact
Exfiltrate secrets/configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application deploys and network-exposes the Lucene.Net.Replicator server component (the HTTP ReplicationService that serves index files) on an affected version (4.8.0-beta00005 through 4.8.0-beta00017) - this is the AT:P attack requirement and the primary limiting factor, since embedded Lucene.Net search without the replicator is not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, score 8.9 High) indicates a network-reachable, low-complexity, unauthenticated read-only disclosure with a subsequent-system confidentiality impact (SC:H) and no integrity or availability impact - consistent with arbitrary file read rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Lucene.Net replication HTTP endpoint sends a crafted request whose file or session identifier contains directory-traversal sequences (e.g. '../../') to escape the index directory and retrieve arbitrary files such as configuration files, credentials, or connection strings on the server. …
Remediation Vendor-released patch: upgrade the Lucene.Net.Replicator package to 4.8.0-beta00018, which fixes the path traversal, as recommended in the Apache advisory (https://seclists.org/oss-sec/2026/q3/13 and https://lucenenet.apache.org/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications running Apache Lucene.Net.Replicator versions 4.8.0-beta00005 through 4.8.0-beta00017. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy