Perceptive Security
SOC/SIEM Consultancy
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpo…
Published:
26 May 2026 at 22:00:00
Alert date:
27 May 2026 at 23:01:09
Source:
nvd.nist.gov
Web Technologies, Database & Storage
The Goobi viewer web application contains a critical vulnerability in versions 4.8.0 to before 26.04.1. The REST endpoint POST /api/v1/index/stream accepts arbitrary Solr streaming expressions from unauthenticated clients and forwards them to the backend Solr server without restriction. This allows attackers to read the complete Solr index and potentially modify or delete indexed records in default Solr deployments. The vulnerability enables unauthorized access to digitized material and database manipulation through injection attacks. The issue has been fixed in version 26.04.1.
Technical details
Mitigation steps:
Affected products:
Goobi viewer
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-45083
https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd
https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705
https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.