Skip to main content

Apache Lucene.Net CVE-2026-47897

| EUVDEUVD-2026-41518 HIGH
Path Traversal (CWE-22)
8.9
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable, unauthenticated path traversal with real gating conditions (AC:H); file disclosure crosses the security boundary into other files (S:C, C:H) with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jul 03, 2026 - 09:01 EUVD
Analysis Updated
Jul 03, 2026 - 08:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 03, 2026 - 08:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 03, 2026 - 08:22 vuln.today
cvss_changed
CVSS changed
Jul 03, 2026 - 08:22 NVD
8.9 (HIGH)
Analysis Generated
Jul 03, 2026 - 02:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach networked replication endpoint
Delivery
Send sync request with ../ traversal in filename
Exploit
Bypass index-directory restriction
Execution
Service reads out-of-scope file
Impact
Disclose file contents to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to an application that uses the Lucene.Net.Replicator module for index replication (the vulnerable code path is only present when replication is deployed), and the affected version must be in the range 4.8.0-beta00005 through 4.8.0-beta00017. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The only quantitative signal provided is the vendor CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, score 8.9), which indicates a network-reachable, unauthenticated flaw with high confidentiality impact on both the vulnerable and a subsequent system, but notably with high attack complexity (AC:H) and a present attack requirement (AT:P) - meaning successful exploitation depends on specific, non-guaranteed conditions rather than a simple always-works request. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to reach a Lucene.Net.Replicator service (or acting as a malicious replication peer) issues a synchronization request in which the requested index file name embeds directory-traversal sequences, causing the service to open and return a file outside the index directory such as a configuration file or credential store. Because the CVSS vector is AC:H/AT:P, the attacker likely must satisfy specific timing or state conditions during the replication exchange for the traversal to succeed. …
Remediation Upgrade the Lucene.Net.Replicator package to version 4.8.0-beta00018, the vendor-released patched version that fixes the path traversal, updating the NuGet/package reference in any application that depends on the Replicator module and redeploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Query application inventories and configuration management systems to identify any systems running Apache Lucene.Net.Replicator versions 4.8.0-beta00005 through 4.8.0-beta00017, including development and staging environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy