CVE-2026-45083

Name of the Vulnerable Software and Affected Versions Goobi viewer versions 4.8.0 through 26.04.0

Description The REST endpoint "POST /api/v1/index/stream" accepts arbitrary Solr streaming expressions from unauthenticated network clients and forwards them to the backend Solr server without restriction. This allows an attacker to read the complete Solr index, including documents protected by access conditions, license requirements, or IP restrictions. Additionally, in default Solr deployments, attackers can use update() streaming expressions to overwrite indexed field values, alter metadata, or corrupt document structures, and use delete() streaming expressions to permanently remove documents or the entire collection.

Recommendations Update to version 26.04.1. As a temporary workaround, block the "/api/v1/index/stream" endpoint using a reverse proxy or within the Tomcat configuration.