Elasticsearch 7.17.24, 8.15.0 Security Update (ESA-2026-52)

Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

Affected Versions:

  • 7.x: All versions up to and including 7.17.23
  • 8.x: All versions from 8.0.0 up to but not including 8.15.0

Affected Configurations:

  • All configurations are affected. Exploitation requires an authenticated account able to submit requests to the bulk API.

Solutions and Mitigations:

The issue is resolved in version 7.17.24 and 8.15.0.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-49090
Problem Type: CWE-400 - Uncontrolled Resource Consumption
Impact: CAPEC-130 - Excessive Allocation