Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-reachable query API, low privilege required, availability-only impact; no confidentiality or integrity loss applies.
Primary rating from Vendor (elastic).
CVSS VectorVendor: elastic
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
AnalysisAI
Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Elasticsearch account with at minimum query (search) privileges, confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 6.5 (Medium) reflects the limited impact profile: availability-only with no confidentiality or integrity loss (C:N/I:N/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any low-privilege Elasticsearch account - such as a developer with read access or an application service account - crafts a query containing deeply nested or recursively structured clauses and submits it via the standard REST API on port 9200. The query processing engine enters uncontrolled recursion, exhausting available resources until the node becomes unresponsive and drops out of the cluster. … |
| Remediation | Upgrade Elasticsearch to version 8.19.17 (for 8.x deployments), 9.3.6, or 9.4.3 (for 9.x deployments) as documented in Elastic Security Advisory ESA-2026-42 at https://discuss.elastic.co/t/elasticsearch-8-19-17-9-3-6-9-4-3-security-update-esa-2026-42. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Elasticsearch
View allDirectory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. Rated medium severit
The fix for CVE-2020-7009 was found to be incomplete. Rated high severity (CVSS 8.8), this vulnerability is remotely exp
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secre
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Le
The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration prope
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when th
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41065
GHSA-j6j2-p5xw-w2j8