CVE-2026-56149
Received Received - Intake

Allocation of Resources Without Limits in Elasticsearch

Vulnerability report for CVE-2026-56149, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Elastic

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
elastic elasticsearch to 8.19.17 (exc)
elastic elasticsearch to 9.3.6 (exc)
elastic elasticsearch to 9.4.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56149 is a vulnerability in Elasticsearch where a user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption. This happens because the system allocates resources without limits or throttling, leading to a denial of service condition by making the affected node unavailable.

Impact Analysis

This vulnerability can impact you by causing a denial of service on your Elasticsearch node. An attacker with the necessary privileges can exploit this flaw to consume excessive memory, which may render the node unavailable and disrupt services relying on it.

Detection Guidance

There are no specific indicators of compromise or detection commands identified for this vulnerability. The issue involves excessive memory consumption caused by specially crafted machine learning requests submitted by users with elevated privileges.

Since the vulnerability requires an account with privileges to create or manage trained models, monitoring and auditing such privileged accounts' activities may help detect potential exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Elasticsearch to a fixed version: 8.19.17, 9.3.6, or 9.4.3 or later.

There are no available workarounds for users unable to upgrade.

Additionally, restricting or monitoring accounts with privileges to create or manage trained models can reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart