Allocation of Resources Without Limits or Throttling in Elasticsearch - CVE-2026-56149
Published: July 2, 2026
Elasticsearch
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the machine learning request handling functionality when processing a specially crafted machine learning request. A remote privileged user can submit a specially crafted machine learning request to cause a denial of service.
Only deployments that use machine learning are vulnerable. Exploitation requires privileges to create or manage trained models.