CVE-2026-49090
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
CVE-2026-49090 in Elasticsearch allows a denial of service (DoS) via uncontrolled resource consumption. An authenticated user can submit a specially crafted bulk request causing sustained high CPU usage, rendering the affected node unable to process requests.
Risk Assessment
The risk is that an attacker with a user account can effectively disable an Elasticsearch node, leading to service disruption for search and data analysis operations, impacting system availability.
Recommendation
Apply security patches provided by Elastic in the latest version immediately. As a temporary measure, limit the size of bulk requests and monitor CPU usage on nodes.
Original NVD description (English source)
Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

