Solr 7.6.0 unauth fleet: Aggregate cloud-provider disclosure

Drafted 2026-05-16 by NuClide Research. Not yet sent. Awaiting recipient-channel verification.

Subject

Apache Solr 7.6.0 cluster on your platform. 516 hosts vulnerable to unauthenticated remote code execution (CVE-2019-17558 / CVE-2019-0193 / CVE-2019-12409)

Body

Hello [security team],

NuClide Research conducted a population-scale survey of self-hosted vector-database and search-index platforms on 2026-05-16. We identified 516 Apache Solr instances on version 7.6.0 that are reachable from the public internet with administrative endpoints unauthenticated. Approximately 122 are hosted on Linode/Akamai Connected Cloud (24%) and ~60 on Alibaba Cloud (12%), with the remainder on smaller hosters.

Apache Solr 7.6.0 was released December 2018. The endpoints reachable on these hosts include:

• GET /solr/admin/info/system: returns Java/Solr/Lucene versions, OS info, JVM flags
• GET /solr/admin/cores?action=STATUS: returns the list of cores (indexes), each disclosing the operator’s application schema
• GET /solr/admin/configs: returns configset names
• GET /solr/<core>/select?q=*:*&rows=N. Returns N documents from any core (we did not exercise this; the access exists)

Three documented unauthenticated remote-code-execution vulnerabilities apply

We did NOT exercise any of these against the survey set. The population finding is based on the reachable metadata endpoints, the version disclosure, and the documented CVE class. Each host should be treated as actively exploitable given the public exploit modules.

Operator-attribution detail

Sample core names disclosed across the 516 hosts include (each name discloses the operator’s application schema):

• mgw_hce_search_index, mgw_integral_search_index, supplier_member_search_index (e-commerce + supplier marketplace)
• gaizhouEnterprise, gzEnterprise, qfEnterprise, scEnterprise, wnEnterprise, exploit_core, rumor, rumorRecordCategory (a multi-tenant CN provincial-government registry, the “exploit_core” label is the most alarming entry)
• service_provider_indices, specialties (healthcare directory)
• postal_codes, era2023, thesis, airjonge1/2/3, Products (repeating template across many hosts, suggesting a shared Docker image or marketplace package)

We have a full IP+port list available on request; we are NOT publishing it externally pending coordinated remediation.

Why we’re contacting you

The 7.6.0-vintage concentration (~84% of the 613 confirmed-unauth Solr hosts in our survey are on this single version, dominant by 27× over the next-most-common version) suggests a deployment-template phenomenon, almost certainly a Docker image (likely solr:7.6.0 on Docker Hub or a derivative) that was widely deployed during the ~2019 timeframe, never patched, and the deployments still serve traffic.

Linode and Alibaba Cloud are the two largest hosters of this fleet by IP-count. Recommended actions:

1. Aggregate notification: notify the affected tenants via your standard abuse-vulnerability channel. We can provide the IP list partitioned by AS.
2. Marketplace image audit: if either of you offer a marketplace Solr image or a “one-click Solr” deployment template, verify that it does not still pin to 7.6.0 and that auth is enabled by default.
3. Deprecate version: Solr 7.x reached end-of-life in March 2021. The current stable line is 9.x. Apache Solr Project SHOULD push a hosting-platform-level depreciation notice; we’ll mirror to the Solr security mailing list separately.

Methodology / verification

NuClide Research at https://nuclide-research.com runs a population-scale auth-on-default-thesis test on AI/LLM and adjacent infrastructure categories. Our methodology is published. Each finding is verified via marker-anchored conjunctive HTTP probes (no exploitation), captured in our nuclide.db ledger, and published as a case study at https://nuclide-research.com/research/.

The survey case study for this finding is at: https://nuclide-research.com/research/case-studies—commercial—vectordb-stragglers-population-survey-2026-05-16/

Tooling used: aimap (https://github.com/Nicholas-Kloster/aimap), our open-source AI/ML infrastructure scanner. The Solr fingerprint shipped in v1.9.7 on 2026-05-16.

We’re happy to coordinate further or provide raw evidence per your standard channels.

NuClide Research disclosures@nuclide-research.com PGP: see https://nuclide-research.com/pgp.txt

Internal notes (NOT for outbound copy)

• AS63949 honeypot risk: 122 of 516 Solr hosts are on Linode IP ranges. Per reference_as63949_honeypot_fleet and prior Akamai honeypot mappings, some Linode IPs are part of a 393-host honeypot fleet seeded with the salt wW0sffoqsk.EM. We sampled 3 random Linode Solr hosts and found none matched the salt. These appear to be real deployments. Full honeypot-filter pass before sending: filter out any host where /solr/admin/info/system contains the salt OR where the same host runs > 5 impossible-to-colocate services (Insight #22 multi-protocol-honeypot pattern).
• Recipient channel verification deferred: the email addresses security@akamai.com and security@alibabacloud.com are educated guesses; confirm via the official security-disclosure pages on each platform before sending. Akamai’s official channel: https://www.akamai.com/security-policies. Alibaba Cloud: https://www.alibabacloud.com/help/en/security-and-compliance/.
• PGP key: ensure disclosures@nuclide-research.com PGP key is current.
• Hold-cluster-detail rule: per feedback_defense_contractor_disclosure_handling, hold the CN provincial-government cluster IP (119.29.117.117) until that operator separately acknowledges; their disclosure may need to go via abuse-mailbox on the relevant /24 first.
• BARE module ranking: exploits_multi_http_solr_velocity_rce ranked top by BARE semantic similarity at 0.727. Confirms the commodity-exploit-chain framing.