CVE-2026-49090

Source
https://cve.org/CVERecord?id=CVE-2026-49090
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49090.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49090
Aliases
Downstream
Published
2026-07-01T17:15:54.359Z
Modified
2026-07-15T19:48:11.471731Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service
Details

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

Database specific
{
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49090.json",
    "cna_assigner": "elastic",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.14.3"
                },
                {
                    "introduced": "7.0.0"
                },
                {
                    "last_affected": "7.17.23"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Database specific
{
    "cpe": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.17.24"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.15.0"
        }
    ],
    "source": "CPE_RANGE"
}

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "142192629617725741299022729598204077325",
            "length": 271.0
        },
        "deprecated": false,
        "id": "CVE-2026-49090-8673e70a",
        "target": {
            "function": "createThreadPool",
            "file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "90979555117259467445263826000722655414",
                "233880512092644159509098133445422903781",
                "201588729648204699044316536751211233144",
                "150381386453785713982991137249591284441"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-49090-9c9105ba",
        "target": {
            "file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "302806869156825138967016505708747002294",
            "length": 77.0
        },
        "deprecated": false,
        "id": "CVE-2026-49090-c48c689a",
        "target": {
            "function": "doRun",
            "file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "137023518409038292133452283468593548723",
            "length": 2537.0
        },
        "deprecated": false,
        "id": "CVE-2026-49090-cae71c55",
        "target": {
            "function": "validateApiKeyCredentials",
            "file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "15728880044678428613885107089167214246",
                "173618939874799114652410357105564381038",
                "293761876996285912564783256243232366190",
                "198593980507136286893931030547799247876",
                "206709190616943257201853921897333917313",
                "197399493388089925234224283026471881528",
                "44508774986651643012206413574234642238",
                "166140435195922692091311330906342127134",
                "196437853667451077775668990843785496875",
                "333451065704095536815766263903785873394",
                "72868878619308445828107324034491913956"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-49090-e4c81f6d",
        "target": {
            "file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "108010166469262082174614297143144359609",
            "length": 9761.0
        },
        "deprecated": false,
        "id": "CVE-2026-49090-f406637e",
        "target": {
            "function": "testConcurrentPrewarming",
            "file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "203603482067859804637258967793063382345",
                "322917609237158501780418561654099552269",
                "256253239670756748785358014200135771045",
                "315837561795991804971382438615044649236",
                "146427732354523605064218080296921708373",
                "173231181477074759296592300368901057611",
                "61022203414500058386117304455448959197",
                "193300915082347298917541114706348147175",
                "258077855627316307519262695880736716066",
                "125996974648388146940214377483342596447",
                "40188819877500306413169533609100026446",
                "97819836589033936183410863291812511956",
                "28174937397667876549461977660517314954",
                "135344447971163041939327739838227678862",
                "339252469867217754068016957649395888437"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-49090-fbf59ae4",
        "target": {
            "file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
        }
    }
]
vanir_signatures_modified
"2026-07-15T19:48:11Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49090.json"