CVE-2026-45083 — Goobi Viewer Unauthenticated RCE via Solr Streaming Expression Injection

Executive Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-45083, CVSS 9.8) has been disclosed in the Goobi Viewer, a widely deployed open-source web application used by libraries, archives, and museums to display digitized collections online. The flaw resides in the REST endpoint POST /api/v1/index/stream, which accepted arbitrary Apache Solr streaming expressions from unauthenticated network clients and forwarded them directly to the connected Solr backend.

Solr streaming expressions are a powerful and well-known code execution vector. Exploitation allows an unauthenticated attacker to execute arbitrary code on the Solr server — and, in many deployments, pivot to the application server hosting Goobi Viewer itself.

CVSS Score: 9.8 (Critical) | Authentication Required: None | Patch Available: Yes — upgrade to 26.04.1

Vulnerability Overview

What Is Goobi Viewer?

Goobi Viewer is an open-source Java web application published by intranda GmbH, widely adopted in the GLAM sector (Galleries, Libraries, Archives, Museums) to present digitized materials — manuscripts, books, maps, photographs, archival records — in browser-accessible digital collections. It is commonly deployed at:

• National and university libraries
• State archives and regional heritage institutions
• Museums with digital collection portals
• Research institutions and cultural foundations

Goobi Viewer uses Apache Solr as its search and indexing backend. The application indexes digitized content into Solr and exposes search functionality to users via the web interface.

Technical Analysis

Root Cause: Unauthenticated Solr Streaming Expression Forwarding

The vulnerable endpoint is:

POST /api/v1/index/stream

This REST endpoint was designed to forward streaming expression queries to the Solr backend for advanced search or export operations. The critical failure is that the endpoint accepted input from any network client without authentication, and forwarded the supplied Solr streaming expression without sanitization directly to the connected Solr instance.

Apache Solr Streaming Expressions as an RCE Vector

Apache Solr streaming expressions are a feature introduced to enable complex, distributed stream processing queries across Solr collections. While powerful for legitimate data processing, they have been a documented remote code execution vector in Solr for years. An attacker can craft a streaming expression that invokes:

• OS command execution via Solr's built-in streaming functions
• Arbitrary Java class loading via expression chains
• File system read/write operations via fetch and rollup expressions

An attacker sends a crafted HTTP POST request to the vulnerable endpoint with a malicious streaming expression payload. Because the endpoint requires no authentication, any network-reachable client can trigger the exploit. If the Solr instance connected to Goobi Viewer has streaming expression access enabled (the default in many configurations), the result is OS command execution under the Solr process's user account.

Attack Flow

1. Attacker discovers an internet-facing Goobi Viewer instance (versions 4.8.0-26.04.0)
2. Attacker sends a crafted POST to /api/v1/index/stream — no credentials needed
3. Goobi Viewer REST API forwards the streaming expression to the connected Solr backend
4. Solr evaluates the streaming expression, invoking OS-level commands or Java reflection
5. Arbitrary code executes under the Solr process context
6. Attacker achieves RCE on the Solr server and potentially the Goobi application host
7. Full access to indexed collection data, metadata, connected storage, and internal network

Why CVSS 9.8?

The maximum-severity CVSS 9.8 score reflects:

• Network attack vector (remotely exploitable over HTTP)
• No authentication required
• No user interaction required
• Full confidentiality, integrity, and availability impact on the Solr backend

Affected Products

The vulnerability was introduced in version 4.8.0 when the /api/v1/index/stream endpoint was added, and persists through all subsequent releases until the patched version 26.04.1.

Impact Assessment

Cultural heritage institutions often store high-resolution master images and authoritative metadata in systems connected to their Goobi deployments. A successful exploit can result in irreversible data loss if the Solr index is corrupted or deleted.

Remediation

Step 1: Upgrade to Goobi Viewer 26.04.1

# Check your current Goobi Viewer version (in the WAR manifest or admin interface)
cat /opt/goobi-viewer/WEB-INF/MANIFEST.MF | grep Implementation-Version
 
# Upgrade via the official intranda release on GitHub
# https://github.com/intranda/goobi-viewer-core/releases/tag/26.04.1
 
# For Maven-based deployments, update pom.xml:
# <version>26.04.1</version>
# Then rebuild and redeploy the WAR file

Step 2: Immediately Restrict the Vulnerable Endpoint (Pre-Patch Mitigation)

If you cannot immediately upgrade, block access to the streaming endpoint at the reverse proxy or WAF:

# Nginx — block unauthenticated access to the stream endpoint
location = /api/v1/index/stream {
    deny all;
    return 403;
}
 
# Or restrict to internal IPs only
location = /api/v1/index/stream {
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
}

# Apache — block the endpoint entirely
<Location "/api/v1/index/stream">
    Require all denied
</Location>

Step 3: Restrict Solr Access to Localhost

Solr should never be internet-facing. Ensure it only listens on the loopback or internal interface:

# In solr.in.sh or solr.in.cmd, bind Solr to localhost
SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"
 
# Verify Solr is not listening on 0.0.0.0
ss -tlnp | grep 8983
# Should show 127.0.0.1:8983, not 0.0.0.0:8983

Step 4: Check for Signs of Exploitation

# Search Goobi Viewer access logs for POST requests to the stream endpoint
grep "POST /api/v1/index/stream" /var/log/goobi-viewer/access.log
 
# Flag requests from external IPs (non-RFC1918 ranges)
grep "POST /api/v1/index/stream" /var/log/goobi-viewer/access.log | \
  grep -v "10\.\|192\.168\.\|172\.1[6-9]\.\|172\.2[0-9]\."
 
# Review Solr logs for unexpected streaming handler activity
grep -i "StreamHandler\|/stream" /opt/solr/logs/solr.log | tail -200
 
# Audit for unexpected new files owned by the Solr service user
find /opt/solr -newer /opt/solr/RELEASE.txt -ls 2>/dev/null

Detection Indicators

Post-Remediation Checklist

1. Upgrade to Goobi Viewer 26.04.1 — the only authoritative fix
2. Verify Solr is not internet-facing — Solr must listen only on localhost or the internal network
3. Rotate Solr and application database credentials — treat as potentially compromised
4. Audit Solr indexes for unexpected modifications — compare against known-good backups
5. Review all files in the Goobi Viewer deployment directory for unauthorized modifications
6. Check OS-level audit logs for unexpected process execution under the Solr service user
7. Notify your DPO if collection metadata or personal data was exposed (GDPR obligations apply)
8. Verify Goobi Viewer API authentication is enforced on all other REST endpoints post-upgrade
9. Enable WAF rules to block streaming expression injection attempts going forward
10. Schedule a penetration test of the Goobi Viewer REST API surface after upgrading

References

• NVD — CVE-2026-45083
• Goobi Viewer GitHub — intranda/goobi-viewer-core
• Apache Solr Streaming Expressions Documentation