Skip to main content

Elastic

Vendor security scorecard – 37 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 52
37
CVEs
2
Critical
7
High
0
KEV
0
PoC
3
Unpatched C/H
43.2%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
2
HIGH
7
MEDIUM
28
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-54350 {$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited. CRITICAL 9.8 0.4% 49
CVE-2026-31215 {index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. EPSS probability (0.12%) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the CVSS 9.1 reflects the severe impact of unauthenticated remote data deletion. CRITICAL 9.1 0.1% 46
No patch
CVE-2026-47835 NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text. HIGH 8.6 0.5% 43
CVE-2026-54008 Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list. HIGH 8.5 0.2% 43
CVE-2026-54320 Authentication bypass in Daytona prior to 0.184.0 allows attackers to join organizations via pending invitations using unverified email addresses. The invitation accept and decline paths failed to enforce email verification (unlike organization creation), so on OIDC identity providers permitting self-service signup with pre-verification sessions, an attacker registering an email matching a pending invite can claim it and inherit the assigned role - up to Owner. No public exploit identified at time of analysis, but the path to full Owner-level organization takeover makes this a high-priority fix. HIGH 8.4 0.2% 42
CVE-2026-49091 Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 8.0 0.2% 40
No patch
CVE-2026-45338 Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory. HIGH 7.7 0.0% 39
CVE-2026-42398 Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypass operator-configured egress allowlists by crafting a Webhook connector with an arbitrary target. The flaw enables Kibana to issue outbound HTTP requests to internal or otherwise restricted destinations, exposing sensitive data accessible from the Kibana host. No public exploit identified at time of analysis, and the vulnerability is not present on the CISA KEV list. HIGH 7.7 0.0% 39
No patch
CVE-2026-46487 Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known. HIGH 7.5 – 38
CVE-2026-15746 Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation. MEDIUM 6.9 – 34
CVE-2026-35211 Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE capability to submit computationally expensive, unvalidated scripts that saturate Elasticsearch cluster CPU, degrading or denying service for the entire platform. All OpenCTI deployments prior to version 7.260401.0 are affected, with the vulnerability residing in the exposed 'script' FilterOperator of the GraphQL API. No public exploit code or CISA KEV listing is confirmed at time of analysis; a vendor-released patch is available in version 7.260401.0. MEDIUM 6.5 0.4% 33
CVE-2026-56148 Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access. MEDIUM 6.5 0.3% 33
No patch
CVE-2026-49087 Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. The vulnerability requires no special configuration to be present and no user interaction beyond submitting the malicious request, making it reliably triggerable by any valid Kibana account holder. No public exploit or CISA KEV listing identified at time of analysis. MEDIUM 6.5 0.2% 33
No patch
CVE-2026-56151 Fleet policy management in Kibana is vulnerable to denial of service through insufficient validation of user-supplied policy inputs. An authenticated Kibana user with Fleet write access can submit a specially crafted Fleet policy input that bypasses server-side validation, rendering Fleet agent management, server operations, and policy configuration unavailable. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low authentication bar (any valid low-privilege account) and network accessibility make it a meaningful operational risk for organizations relying on Elastic Agent deployments. MEDIUM 6.5 0.2% 33
No patch
CVE-2026-49090 Sustained CPU exhaustion in Elasticsearch allows an authenticated low-privilege user to render an affected node unresponsive by submitting a specially crafted bulk request to the _bulk API endpoint. The root cause is CWE-400 (Uncontrolled Resource Consumption), whereby the bulk request processing path fails to bound CPU allocation per request, aligning with CAPEC-130 (Excessive Allocation). No public exploit identified at time of analysis, and no KEV listing exists; however, the low attack complexity and standard network accessibility of the bulk API make this a credible insider or compromised-credential threat in production environments. MEDIUM 6.5 0.2% 33
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy