Apache Solr follows the Apache Software Foundation security process. Report
suspected vulnerabilities privately to the ASF Security Team at
security@apache.org (the Solr PMC is reachable via
private@solr.apache.org). Do not open public issues or pull requests for
security reports. See https://www.apache.org/security/ and
https://solr.apache.org/security.html.
Before reporting — and before triaging a tool/fuzzer/AI finding — read THREAT_MODEL.md. Key points:
- Solr is a search server meant to run in a trusted environment with authentication + authorization enabled. Never expose an unauthenticated Solr to an untrusted network — the admin/config/package APIs are powerful by design and must be authz-restricted (THREAT_MODEL.md sections 3, 5a, 9).
- SSRF via
shards/streaming-expression remote fetch is bounded by operator network controls, not by Solr (section 9/10). - Code-execution-adjacent features (Velocity/scripting, remote streaming) are off by default; reports requiring them enabled are out of model (section 5a).
Findings outside the model (sections 3/9/11a) are closed citing the relevant section.