| Summary: Xerox evaluated DocuShare for Apache Solr CVE-2026-44825 and determined that standard DocuShare deployments are not affected. This vulnerability depends on Solr Basic Authentication being bootstrapped with the Solr command that creates default template users, and that bootstrap path is not used by DocuShare. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Not affected under the standard Xerox DocuShare search deployment model. |
| DocuShare 7.6 | Not affected under the standard Xerox DocuShare search deployment model. |
| DocuShare 7.7 | Not affected under the standard Xerox DocuShare search deployment model. |
| DocuShare 8.0 | Not affected under the standard Xerox DocuShare search deployment model, even though the bundled Solr version is within the upstream affected range. |
| DocuShare 8.1 | Not affected under the standard Xerox DocuShare search deployment model, even though the bundled Solr version is within the upstream affected range. |
Overview
CVE-2026-44825 is an Apache Solr vulnerability involving hardcoded default accounts created by Solr's Basic Authentication setup tool. The issue occurs when an administrator enables Solr Basic Authentication with the Solr bootstrap command that silently adds template users into the Solr security.json file.
Xerox DocuShare engineering analysis confirmed that standard DocuShare deployments do not use that Solr Basic Authentication bootstrap path. In the DocuShare codebase reviewed for this advisory, DocuShare does not ship a security.json file and no DocuShare install, setup, or startup path was identified that invokes the Solr Basic Authentication bootstrap command.
Because the Solr template-user bootstrap path is not used, the default credential condition required for this CVE is not present in a standard DocuShare deployment.
Version Context
For customers comparing DocuShare's bundled Solr version against the upstream CVE advisory, the version context is as follows:
- DocuShare 7.6 and 7.7 ship Solr 9.1.1, which is below the upstream affected range.
- DocuShare 8.0 and 8.1 ship Solr 9.10.1, which is within the upstream affected range.
- Standard DocuShare deployments remain not affected because DocuShare does not run the Solr Basic Authentication bootstrap command that creates the vulnerable template accounts.
What the Vulnerability Requires
The vulnerability depends on a specific Solr authentication setup path that is outside the standard DocuShare deployment model.
- A Solr version within the affected upstream range.
- Solr Basic Authentication enabled through the Solr bootstrap command that creates template users in security.json.
- The default template accounts remaining present or unchanged after that bootstrap step.
DocuShare Assessment
| Assessment Item | Finding |
| Solr Basic Authentication bootstrap path | Not used in the standard DocuShare deployment model. |
| security.json shipped by DocuShare | Not present in the reviewed DocuShare codebase for the standard Solr deployment path. |
| Default Solr template users from this CVE | Not created by the standard DocuShare install or startup flow. |
| Customer guidance | No action is required for a standard DocuShare deployment. |
| Important: If your organization has manually enabled Solr Basic Authentication outside the standard Xerox DocuShare deployment model, review the Solr security.json file and remove or change any template-user credentials created by that Solr bootstrap process. That manual customization would not be covered by the standard DocuShare assessment in this article. |
What You Should Do
- No action is required for a standard Xerox DocuShare deployment.
- If your organization manually enabled Solr Basic Authentication, review the Solr security.json file and ensure no template-user credentials from the Solr bootstrap path remain in use.
- If your environment uses Solr customizations outside the standard Xerox DocuShare deployment model, review those changes with Xerox DocuShare Support.
- Xerox recommends that customers remain on the latest Xerox-supported DocuShare patch level available for their release as part of normal maintenance.