Intelligence
criticalVulnerabilityActive

Unauthenticated Solr Streaming Expression Proxy in Goobi Viewer REST API

Goobi viewer's POST /api/v1/index/stream endpoint forwarded arbitrary Solr streaming expressions without authentication, enabling complete index exfiltration, modification, and deletion. This PoC demonstrates pre-authentication remote code execution risk against backend search infrastructure.

S
Sebastion

CVE References

CVE-2026-45083

Affected

Goobi/goobi-viewer-core

Vulnerability Description

The Goobi viewer exposed an unauthenticated REST endpoint that accepted arbitrary Solr streaming expressions and proxied them directly to backend Solr servers without validation or access control. Solr streaming expressions are a Turing-complete language supporting I/O operations (read(), write(), update(), delete()), making this a critical authentication bypass vulnerability. The root cause is insufficient input validation and lack of authentication enforcement on a sensitive administrative function. Impact spans confidentiality (full index read), integrity (metadata modification via update() expressions), and availability (complete index deletion via delete() expressions).

Proof-of-Concept Significance

This advisory documents a straightforward endpoint enumeration and expression injection attack that requires only network access and no credentials. The PoC's significance lies in proving that default Goobi deployments expose search infrastructure without protective layers. Preconditions are minimal: the endpoint must be network-reachable and Solr must be accessible from the application server. The attack is highly reliable because Solr streaming expressions have predictable syntax and extensive operator support for data manipulation.

Detection Guidance

Defenders should monitor for:

  • HTTP POST requests to paths matching /api/v[12]/index/stream
  • Presence of Solr streaming operators in request bodies: read(), write(), update(), delete(), select(), search()
  • Unusual response sizes from the /api/v1/index/stream endpoint (exfiltration signature)
  • 404 responses if patches are applied (indicates endpoint removal)
  • Web access logs showing unauthenticated access to /api/v1/index/ paths

Log indicators: requests with Content-Type: application/json or application/x-www-form-urlencoded containing streaming expression syntax to the index/stream path from non-administrative source IPs.

Mitigation Steps

Immediate (pre-patch): Apply reverse proxy blocking rules (Apache httpd: <LocationMatch> blocks to /api/v[12]/index/stream; Nginx: location ~ ^.*api/v[12]/index/stream with deny all). Add Tomcat security constraints in web.xml to deny unauthenticated access. Restrict network access to Goobi viewer endpoints using firewall rules.

Long-term: Upgrade to patched version (commit 326980f24c or later) which removes the endpoint entirely. Audit all remaining search API endpoints for similar authentication bypass issues. Implement API authentication (OAuth2, JWT, mutual TLS) on all administrative search operations.

Risk Assessment

Likelihood of exploitation is very high because: (1) the vulnerability requires no authentication or user interaction, (2) it affects default deployments, (3) exploitation is trivial via HTTP POST, and (4) comprehensive index access enables secondary attacks (metadata exfiltration of restricted collections, ransomware-style index deletion). Threat actors and opportunistic scanners actively exploit unauthenticated API endpoints. Organizations using Goobi viewer for digital library platforms (cultural institutions, academic libraries) storing restricted or sensitive metadata are priority targets. The advisory's widespread publication increases threat actor awareness.

Sources

pocauthentication-bypasssolrrest-apiinformation-disclosuredata-manipulationindex-poisoning
Back to intelligence