Description
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.
Published: 2026-07-01
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privileged user can submit a specially crafted machine learning request that forces Elasticsearch to allocate an excessive amount of memory, eventually exhausting available resources and making the node unavailable. This vulnerability is an instance of resource exhaustion (CWE‑770) that leads to denial of service by causing the node to become unresponsive.

Affected Systems

Elastic: Elasticsearch. No specific version range is listed in the data, but the vendor advisory references security updates for Elasticsearch 8.19.17, 9.3.6, and 9.4.3.

Risk and Exploitability

The CVSS score of 4.9 classifies the vulnerability as low‑to‑medium severity, and it is not present in the CISA KEV catalog. The EPSS score is not available, so the likelihood of exploitation is unclear. The attack requires elevated privileges and the ability to submit machine‑learning requests; without such access, remote exploitation is unlikely. If a privileged user has this ability, the risk of a denial‑of‑service incident is significant for the affected node.

Generated by OpenCVE AI on July 1, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security update for Elasticsearch (e.g., upgrade to 8.19.17, 9.3.6, or 9.4.3) to eliminate the resource‑exhaustion flaw.
  • Restrict or disable the ability for non‑administrator accounts to submit machine‑learning requests, limiting the privilege required to trigger the vulnerability.
  • Configure heap size, memory limits, and enable throttling of machine‑learning job requests to avoid excessive consumption even if the vulnerability exists.

Generated by OpenCVE AI on July 1, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic elasticsearch
Vendors & Products Elastic
Elastic elasticsearch

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.
Title Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Elastic Elasticsearch
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-07-01T17:25:09.581Z

Reserved: 2026-06-19T11:01:02.535Z

Link: CVE-2026-56149

cve-icon Vulnrichment

Updated: 2026-07-01T17:21:13.325Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T23:00:05Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling