Description
Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elasticsearch is vulnerable to uncontrolled recursion, a form of resource exhaustion that can lead to denial of service when an authenticated user submits a specially crafted query. The flaw causes the server to allocate excessive resources while processing the request, potentially rendering the affected node unavailable. The weakness is classified as CWE-674, representing unbounded recursion.

Affected Systems

The vulnerability affects Elastic Elasticsearch nodes. Specific product versions are not listed in the data, so any deployment of Elasticsearch that has not applied the corresponding security update may be exposed.

Risk and Exploitability

The risk is moderate with a CVSS score of 6.5; EPSS data is unavailable, and the flaw is not currently listed in the CISA KEV catalog. Exfiltration requires authentication, implying the attacker must have valid credentials or privileged access to submit queries. Given the lack of a publicly known exploit and the authentication requirement, the likelihood of widespread exploitation is low, but the impact on availability is significant for affected nodes.

Generated by OpenCVE AI on July 1, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Elasticsearch security update announced by Elastic, such as versions 8.19.17, 9.3.6, or 9.4.3, as referenced in the official discussion thread.
  • Restrict query access so that only authenticated users with minimal privileges can submit queries to the node.
  • Configure resource limits or rate limiting on Elasticsearch nodes to throttle oversized or recursive queries, mitigating potential denial‑of‑service conditions.

Generated by OpenCVE AI on July 1, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic elasticsearch
Vendors & Products Elastic
Elastic elasticsearch

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
Title Uncontrolled Recursion in Elasticsearch Leading to Denial of Service
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Elastic Elasticsearch
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-07-01T17:25:09.726Z

Reserved: 2026-06-19T11:01:02.535Z

Link: CVE-2026-56148

cve-icon Vulnrichment

Updated: 2026-07-01T17:21:15.433Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T23:15:04Z

Weaknesses