Goobi Viewer Hit by Unauthenticated CVE-2026-45083: Digital Archives At Risk
CVE-2026-45083 (CVSS 9.8) lets unauthenticated network clients send arbitrary Solr streaming expressions to Goobi viewer, the digital archive platform widely used by libraries, museums and research institutions. Versions 4.8.0 through 26.04.0 are affected; the broken endpoint was removed in 26.04.1.
Makoto Horikawa
Backend Engineer / AWS / Django
CVE-2026-45083 (CVSS 9.8) lets unauthenticated network clients send arbitrary Solr streaming expressions to Goobi viewer, the digital archive platform widely used by libraries, museums and research institutions. Versions 4.8.0 through 26.04.0 are affected; the broken endpoint was removed in 26.04.1.
A critical vulnerability that lets anyone reach an entire cultural-heritage database without authentication has been found in "Goobi viewer," the open-source platform used by libraries, museums and universities to publish their digitized holdings. Tracked as CVE-2026-45083 with a CVSS score of 9.8, the issue was disclosed on May 27, 2026 by the maintainer, Germany-based intranda, as a GitHub Security Advisory (GHSA-2rgp-f66f-4499).
The root cause is that the POST /api/v1/index/stream REST endpoint forwards arbitrary Solr streaming expressions received from unauthenticated requests straight to the backend Solr server without any validation. As a result, an attacker could anonymously read the entire Solr index, including embargoed material that was supposed to be protected by access controls such as moving walls (publication embargoes), license restrictions or IP restrictions. By sending update() or delete() expressions, the attacker could even tamper with metadata or wipe entire collections.
Versions 4.8.0 through 26.04.0 are affected. The fixed release, v26.04.1, removes the offending endpoint altogether (fix commit 326980f). Cultural-institution digital archives serve as a trusted knowledge base for researchers and the public, where "authenticity of the data" is treated as paramount, so the community impact here is even larger than the raw CVSS 9.8 number suggests.
What Goobi Viewer Is
Goobi viewer is an open-source platform developed by Germany-based intranda that lets libraries, museums and archives publish digitized manuscripts, old books, maps, photographs and newspapers online, with full-text search. Combined with the company's scanning workflow tool Goobi workflow, it covers the full lifecycle of "scan the material, add metadata, publish it."
Typical use cases include the following.
- University and national libraries operating public-facing viewers for rare books and out-of-print works
- Museums and art galleries publishing collection images with descriptive metadata online
- Archives publishing old administrative documents in OCR-enabled, full-text-searchable form
- Research institutions building and operating digital archives of research materials
- Source platforms feeding pan-European cultural aggregators such as Europeana
It is in production at hundreds of cultural institutions worldwide, especially in European public bodies and German-speaking university libraries, and is one of the de-facto viewer platforms for the digital humanities. It has also seen adoption at a handful of Japanese universities and research institutions, and is gaining recognition as an option for cultural-heritage DX projects.
Technically, it is a Java/Spring web application that uses Apache Solr as its full-text search engine. The issue here is that the front-end "window" into that Solr instance, which should have been very narrowly opened, instead left the door open for anyone on the network to invoke arbitrary Solr functionality without authentication.
Inside CVE-2026-45083
The root cause sits in the design of the POST /api/v1/index/stream endpoint shipped by Goobi viewer. NVD classifies it as CWE-306 (Missing Authentication for Critical Function).
| Item | Details |
|---|---|
| CVE ID | CVE-2026-45083 |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Vulnerability Type | CWE-306 Missing Authentication |
| Vulnerable Endpoint | POST /api/v1/index/stream |
| Affected Versions | v4.8.0 to v26.04.0 |
| Fixed Version | v26.04.1 (endpoint removed) |
| Fix Commit | 326980f |
| Authentication | Not required (PR:N) |
| CISA KEV | Not listed (as of May 28, 2026) |
Solr streaming expressions are a powerful data-manipulation language provided by Apache Solr. They go far beyond search and include record updates (update()), deletions (delete()), joins across Solr collections and even machine-learning-oriented operations. They are meant to be invoked by administrators or from within the application, never by end users directly.
When an attacker can reach this endpoint without authentication, the available attack surface looks like this.
- Reading: Pull every document in the Solr index, including non-public material that was supposed to be protected by Goobi viewer's access controls such as moving walls, license restrictions and IP restrictions
- Tampering: Use
update()to rewrite metadata fields. Access-control values can be rewritten too, flipping items that should be restricted to "public" - Destruction: Use
delete()to wipe entire collections. Recovery requires re-indexing, which on a large archive means days to weeks of downtime - Breaking document structure: Upsert unintended fields and break schema consistency
These four malicious operations simultaneously break all three core values a digital archive must defend: authenticity, integrity and availability. For a cultural institution, the catalog is not just a "database" but the very basis on which researchers and citizens decide "this record is correct." Rebuilding that trust after a tampering incident takes a long time.
Why Even The Restricted Holdings Leak
Goobi viewer implements three access-restriction patterns that are characteristic of the library community. All three are bypassed simultaneously by this vulnerability.
Moving wall: A pattern common in digital editions of newspapers and magazines, where "issues older than N years are free, the latest N years are paid." Goobi viewer correlates publication date with access rights at the display layer, but the Solr index itself still contains all of the data, so direct Solr access bypasses the wall.
License restrictions: For digitized books, contracts with rights holders or publishers often limit access to "users on the research institution's network only" or "students of a specific degree program only." Libraries implement these rules through Goobi viewer's display layer, but the underlying content lives in the Solr index, so CVE-2026-45083 lets it leak straight through.
IP restrictions: Operational rules such as "viewable only from on-campus." This is also an authorization rule implemented in the Goobi viewer front-end, and it does not apply to a direct path into Solr. If the CVE-2026-45083 endpoint is exposed externally, the IP rule simply does not kick in.
In many cases these access restrictions are not just operational choices but legal obligations imposed by copyright law and by contracts with publishers and donors. If a leak via this vulnerability can be confirmed, the library suddenly faces contractual liability, research-ethics accountability and a reporting duty to donors all at once. Although there is no technical RCE, the social impact is at least as serious.
What To Do Now
1. Upgrade Goobi viewer to v26.04.1 or later. Pull the latest release from the GitHub releases page. If you run it as a Docker image, point your intranda/goobi-viewer tags to the latest version. Because the fix commit 326980f removes the endpoint outright, organizations that were relying on its functionality will need to plan for an alternative.
2. If you cannot upgrade right away, block the endpoint at the reverse proxy. If Apache httpd sits in front of Goobi viewer, deny requests to the affected endpoint using a LocationMatch directive. If you front it with Tomcat, add a security-constraint to web.xml to require authentication.
# Apache httpd example
<LocationMatch "^/api/v1/index/stream">
Require all denied
</LocationMatch>3. Audit the past six months of access logs. Search for POST requests to /api/v1/index/stream. Any request you do not recognize, especially ones with abnormally long bodies or Solr expressions containing update or delete, should be treated as a possible tampering or deletion attempt.
4. Verify Solr index integrity. Compare the current Solr index against older backups and look for suspicious metadata changes. Pay particular attention to access-control fields (those related to moving wall, license restriction and IP restriction).
5. Confirm that materials which should remain restricted have not been flipped to "public." Cross-check, item by item, the library's metadata policy (Creative Commons licenses, access-rights operational guidelines) against the actual values currently stored in Solr. If an attacker was active for a long time, specific rare items may have been quietly switched to "public."
6. Run a legal review of potential impact on donors, rights holders and contractual partners. If you exposed an affected version externally, work with your legal and compliance teams to assess whether contractually restricted materials may have leaked. Map out the notification obligations under copyright law, the reporting duties under research ethics and the accountability obligations under donation agreements, and prepare to notify the relevant parties as required.
Security Management For Cultural-Heritage OSS
Libraries, museums and archives are a sector where domain-specific OSS such as Goobi viewer is often preferred over closed-source commercial products. Budget constraints at research institutions, long-term-preservation requirements, the desire to avoid vendor lock-in and the appeal of community-driven feature extension all push in that direction.
At the same time, IT operations in cultural institutions are chronically short-staffed compared with commercial enterprises, and tracking OSS vulnerabilities and applying patches quickly is rarely a core strength. A CVE like this one in Goobi viewer would make the news on day one if it landed in a major commercial vendor's product, yet in the cultural-heritage OSS world the same severity can quietly go under-publicized.
In Japan, digital-archive projects are advancing in contexts such as cultural-heritage DX, regional materials digitization and university repositories. It is time to apply continuous-monitoring approaches such as the OSS Supply-Chain Scanner to cultural institutions as well, and to build a culture in which CVEs for domain-specific OSS like Goobi viewer, DSpace, Omeka, Greenstone, Invenio and Mukurtu are shared across municipal and university IT teams.
On this site we keep an ongoing list of CVEs that CISA has confirmed as exploited, together with their remediation deadlines, on the CISA KEV Dashboard (Japanese). Goobi viewer is not on KEV at the time of writing, but cultural-institution digital archives have been targeted by attack campaigns before, and the picture can change quickly once exploitation is observed in the wild.