CVE Catalog

CVE-2026-56149

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

CWE-770 vulnerability in Elasticsearch allows a denial of service via excessive memory allocation. A privileged user can submit a crafted machine learning request, causing resource exhaustion and node unavailability.

Risk Assessment

The risk involves potential disruption of the Elasticsearch cluster, impacting the availability of search and data analytics services within the organization.

Recommendation

Immediately update Elasticsearch to a patched version and restrict privileges for users who can submit machine learning requests.

Original NVD description (English source)

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS