CVE-2026-49090
Received Received - Intake

Uncontrolled Resource Consumption in Elasticsearch

Vulnerability report for CVE-2026-49090, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Elastic

Description

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
elastic elasticsearch to 7.17.24 (exc)
elastic elasticsearch From 8.0.0 (inc) to 8.14.9 (inc)
elastic elasticsearch 7.17.24
elastic elasticsearch 8.15.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49090 is a vulnerability in Elasticsearch where an authenticated user can submit a specially crafted bulk request that causes uncontrolled resource consumption. This leads to sustained high CPU usage on the affected node.

The excessive CPU consumption can render the node unable to process further requests, effectively causing a denial of service (DoS). This issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CAPEC-130 (Excessive Allocation).

Impact Analysis

This vulnerability can impact you by causing a denial of service on your Elasticsearch nodes. An attacker with authenticated access can exploit this flaw to cause sustained high CPU usage, which can make the affected node unresponsive and unable to process legitimate requests.

This can lead to downtime or degraded performance of your Elasticsearch service, potentially affecting applications or services that rely on it.

Detection Guidance

There are no specific indicators of compromise or detection commands identified for this vulnerability.

The vulnerability involves sustained high CPU usage caused by specially crafted bulk requests from an authenticated user, which may be observable via monitoring CPU consumption on affected Elasticsearch nodes.

Mitigation Strategies

The primary mitigation step is to upgrade Elasticsearch to a fixed version: 7.17.24 or 8.15.0 or later.

No workarounds exist for users unable to upgrade.

Ensure that only trusted authenticated users have access to the bulk API to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart