Elasticsearch 8.19.17, 9.3.6, 9.4.3 Security Update (ESA-2026-43)

Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.

Affected Versions:

  • 8.x: All versions from 8.0.0 up to and including 8.19.16
  • 9.x:
    • All versions from 9.0.0 up to and including 9.3.5
    • All versions from 9.4.0 up to and including 9.4.2

Affected Configurations:

  • Affects deployments that use machine learning. Exploitation requires an account with privileges to create or manage trained models.

Solutions and Mitigations:

The issue is resolved in version 8.19.17, 9.3.6, and 9.4.3.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 4.9 ) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-56149
Problem Type: CWE-770 - Allocation of Resources Without Limits or Throttling
Impact: CAPEC-130 - Excessive Allocation