CVE-2026-45083: Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
(updated )
The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming
expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.
An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.
The API endpoint has now been removed.
References
- github.com/advisories/GHSA-2rgp-f66f-4499
- github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd
- github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705
- github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1
- github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499
- nvd.nist.gov/vuln/detail/CVE-2026-45083
Code Behaviors & Features
Detect and mitigate CVE-2026-45083 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →