Resource exhaustion in Elasticsearch - CVE-2026-49090
Published: July 2, 2026
Elasticsearch
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the bulk API when processing a specially crafted bulk request. A remote user can submit a specially crafted bulk request to cause a denial of service.
The issue can cause sustained high CPU consumption and render the affected node unable to process requests.