Elastic Elasticsearch
43 CVEs affecting Elastic Elasticsearch. Latest disclosed: 2025-12-18. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-31418 | High | 7.5 | 2023-10-26 | An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to e… |
CVE-2025-37731 | Medium | 6.8 | 2025-12-15 | Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to ha… |
CVE-2025-68384 | Medium | 6.5 | 2025-12-18 | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CA… |
CVE-2024-52979 | Medium | 6.5 | 2025-05-01 | Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service… |
CVE-2024-52980 | Medium | 6.5 | 2025-04-08 | A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elast… |
CVE-2024-43709 | Medium | 6.5 | 2025-01-21 | An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted… |
CVE-2024-23445 | Medium | 6.5 | 2024-06-12 | It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#… |
CVE-2023-46673 | Medium | 6.5 | 2023-11-22 | It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulat… |
CVE-2023-31419 | Medium | 6.5 | 2023-10-26 | A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Deni… |
CVE-2021-37937 | Medium | 5.9 | 2023-11-22 | An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that… |
CVE-2025-37727 | Medium | 5.7 | 2025-10-10 | Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the… |
CVE-2023-49921 | Medium | 5.2 | 2024-07-26 | An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of document… |
CVE-2025-68390 | Medium | 4.9 | 2025-12-18 | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Exces… |
CVE-2024-52981 | Medium | 4.9 | 2025-04-08 | An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause… |
CVE-2024-23444 | Medium | 4.9 | 2024-07-31 | It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Req… |
CVE-2024-37280 | Medium | 4.9 | 2024-06-13 | A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certa… |
CVE-2024-23450 | Medium | 4.9 | 2024-03-27 | A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. |
CVE-2024-23451 | Medium | 4.4 | 2024-03-27 | Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and b… |
CVE-2024-23449 | Medium | 4.3 | 2024-03-29 | An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasti… |
CVE-2023-31417 | Medium | 4.1 | 2023-10-26 | Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied whe… |