Description
Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elastic Fleet Server suffers from an Allocation of Resources Without Limits or Throttling flaw, identified as CWE‑770. An attacker can craft a request to the upload endpoint that causes the server to allocate excessive memory, resulting in degraded performance and ultimately making the service unavailable. The primary impact is a denial of service that can affect all users interacting with Fleet Server.

Affected Systems

The vulnerability affects the Elastic Fleet Server product. No specific version range is listed in the data; the issue was reported in the context of recent security updates for Fleet Server.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting limited known exploitation. The attack vector appears to be via the upload endpoint, which is inferred from the description. Because the flaw relies on excessive resource allocation, an attacker does not need elevated privileges, but does need network access to the Fleet Server service. Overall, the risk is moderate with potential for operational disruption if unmitigated.

Generated by OpenCVE AI on July 1, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Fleet Server to the latest released version that includes the fix announced in ESA‑2026‑44 (see Elastic’s discussion thread).
  • application‑level limits or throttling on the upload endpoint, or set OS‑level memory or CPU quotas for the Fleet Server process to cap resource usage.
  • Implement monitoring and alerting for sudden increases in memory consumption, and apply a network‑level rate limit or web application firewall to restrict the number of upload requests per minute.

Generated by OpenCVE AI on July 1, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic fleet Server
Vendors & Products Elastic
Elastic fleet Server

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.
Title Allocation of Resources Without Limits or Throttling in Fleet Server Leading to Denial of Service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Elastic Fleet Server
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-07-01T17:25:09.438Z

Reserved: 2026-06-19T11:01:02.535Z

Link: CVE-2026-56150

cve-icon Vulnrichment

Updated: 2026-07-01T17:21:11.044Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T23:00:05Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling