Uncontrolled Recursion in Elasticsearch Leading to Denial of Service
Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.16
- 9.x:
- All versions from 9.0.0 up to and including 9.4.2
- The 9.3 release line is affected up to and including 9.3.5
Affected Configurations:
- All configurations are affected. Exploitation requires an authenticated account with privileges to submit queries; no administrative privileges are required.
Solutions and Mitigations:
The issue is resolved in versions 8.19.17, 9.3.6, and 9.4.3.
For Users that Cannot Upgrade:
There are no workarounds for this vulnerability.
Indicators of Compromise (IOC)
No specific indicators of compromise have been identified for this vulnerability.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-56148
Problem Type: CWE-674 - Uncontrolled Recursion
Impact: CAPEC-130 - Excessive Allocation