Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.
{
"cwe_ids": [
"CWE-400"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49090.json",
"cna_assigner": "elastic",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.14.3"
},
{
"introduced": "7.0.0"
},
{
"last_affected": "7.17.23"
}
],
"source": "AFFECTED_FIELD"
}
]
}[
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "142192629617725741299022729598204077325",
"length": 271.0
},
"deprecated": false,
"id": "CVE-2026-49090-8673e70a",
"target": {
"function": "createThreadPool",
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"90979555117259467445263826000722655414",
"233880512092644159509098133445422903781",
"201588729648204699044316536751211233144",
"150381386453785713982991137249591284441"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-49090-9c9105ba",
"target": {
"file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "302806869156825138967016505708747002294",
"length": 77.0
},
"deprecated": false,
"id": "CVE-2026-49090-c48c689a",
"target": {
"function": "doRun",
"file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "137023518409038292133452283468593548723",
"length": 2537.0
},
"deprecated": false,
"id": "CVE-2026-49090-cae71c55",
"target": {
"function": "validateApiKeyCredentials",
"file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"15728880044678428613885107089167214246",
"173618939874799114652410357105564381038",
"293761876996285912564783256243232366190",
"198593980507136286893931030547799247876",
"206709190616943257201853921897333917313",
"197399493388089925234224283026471881528",
"44508774986651643012206413574234642238",
"166140435195922692091311330906342127134",
"196437853667451077775668990843785496875",
"333451065704095536815766263903785873394",
"72868878619308445828107324034491913956"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-49090-e4c81f6d",
"target": {
"file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/fcf25fff740db6ab3ed5d145c58d70e4c3528ea7",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "108010166469262082174614297143144359609",
"length": 9761.0
},
"deprecated": false,
"id": "CVE-2026-49090-f406637e",
"target": {
"function": "testConcurrentPrewarming",
"file": "x-pack/plugin/searchable-snapshots/src/internalClusterTest/java/org/elasticsearch/xpack/searchablesnapshots/cache/full/SearchableSnapshotsPrewarmingIntegTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"203603482067859804637258967793063382345",
"322917609237158501780418561654099552269",
"256253239670756748785358014200135771045",
"315837561795991804971382438615044649236",
"146427732354523605064218080296921708373",
"173231181477074759296592300368901057611",
"61022203414500058386117304455448959197",
"193300915082347298917541114706348147175",
"258077855627316307519262695880736716066",
"125996974648388146940214377483342596447",
"40188819877500306413169533609100026446",
"97819836589033936183410863291812511956",
"28174937397667876549461977660517314954",
"135344447971163041939327739838227678862",
"339252469867217754068016957649395888437"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-49090-fbf59ae4",
"target": {
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
}
}
]
"2026-07-15T19:48:11Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49090.json"