GHSA-22vx-2x23-98w6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-22vx-2x23-98w6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-22vx-2x23-98w6/GHSA-22vx-2x23-98w6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-22vx-2x23-98w6
- Published
- 2026-05-07T00:08:04Z
- Modified
- 2026-05-07T00:17:57.818987Z
- Severity
-
- 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- OpenSearch vulnerable to improper authorization for Rollover Requests
- Details
-
Description
A flaw was identified in the OpenSearch Security plugin's handling of index rollover requests. When a rollover request included an explicit target index name, the security plugin did not properly evaluate access control permissions against the target index. This could allow a user with rollover permissions on a source index to create a new index with a name they are not authorized to use.
Impact
A user with
indices:admin/rolloverpermission on a source index pattern could roll over to a target index name outside their authorized index patterns. This is limited to index creation via the rollover API and requires the user to already have rollover privileges on the source index.Patches
This issue is fixed in OpenSearch 2.19.4 and 3.2.0
Workarounds
Grant the
indices:admin/rolloverpermission only to fully trusted users. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-07T00:08:04Z", "cwe_ids": [ "CWE-863" ], "severity": "LOW", "nvd_published_at": null }- References
Affected packages
Maven / org.opensearch.plugin:opensearch-security
Package
- Name
- org.opensearch.plugin:opensearch-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opensearch.plugin/opensearch-security
Maven / org.opensearch.plugin:opensearch-security
Package
- Name
- org.opensearch.plugin:opensearch-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opensearch.plugin/opensearch-security