The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
PUBLISHED5.2CWE-306
Goobi viewer: Unauthenticated Solr Streaming Expression Proxy
Problem type
Affected products
intranda
goobi-viewer-core
>= 4.8.0, < 26.04.1 - AFFECTED
References
https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499
https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499
https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd
https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd
https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705
https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705
GitHub Security Advisories
GHSA-2rgp-f66f-4499
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
https://github.com/advisories/GHSA-2rgp-f66f-4499Summary
The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming
expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.
An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.
The API endpoint has now been removed.
Impact
Complete Solr index read without authentication. All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.
Index data modification.
update()streaming expressions overwrite indexed field values. An attacker can alter metadata, changeACCESSCONDITIONvalues, or corrupt document structure.Index data deletion.
delete()streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.
Patches
The endpoint was removed in 326980f24c
Workarounds
Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.
For Apache httpd the following block can be used in the vhost configuration:
<LocationMatch ^.*api/v[12]/index/stream.*$>
Require all denied
</LocationMatch>
Alternatively the following security constraint can be added in tomcat via the relevant web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>blocked endpoint</web-resource-name>
<url-pattern>/api/v1/index/stream</url-pattern>
<url-pattern>/api/v1/index/stream/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
References
- Fix commit: 326980f24c
- Introducing commit: 6bfb1cbd42
- Solr Streaming Expressions reference
Contact
If you have any questions or comments about this advisory:
- Email us at support@intranda.com
github.com
https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499
github.com
https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd
github.com
https://github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1
github.com
https://github.com/advisories/GHSA-2rgp-f66f-4499
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-45083Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-45083",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-27T21:00:52.103Z",
"dateReserved": "2026-05-08T18:45:10.097Z",
"datePublished": "2026-05-27T21:00:52.103Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-27T21:00:52.103Z"
},
"title": "Goobi viewer: Unauthenticated Solr Streaming Expression Proxy",
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1."
}
],
"affected": [
{
"vendor": "intranda",
"product": "goobi-viewer-core",
"versions": [
{
"version": ">= 4.8.0, < 26.04.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-306: Missing Authentication for Critical Function",
"cweId": "CWE-306",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499",
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd",
"name": "https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705",
"name": "https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
]
}
}
}