CVE Catalog

CVE-2026-49090

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

CVE-2026-49090 in Elasticsearch allows a denial of service (DoS) via uncontrolled resource consumption. An authenticated user can submit a specially crafted bulk request causing sustained high CPU usage, rendering the affected node unable to process requests.

Risk Assessment

The risk is that an attacker with a user account can effectively disable an Elasticsearch node, leading to service disruption for search and data analysis operations, impacting system availability.

Recommendation

Apply security patches provided by Elastic in the latest version immediately. As a temporary measure, limit the size of bulk requests and monitor CPU usage on nodes.

Original NVD description (English source)

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS