GHSA-83x9-vc3c-hghc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-83x9-vc3c-hghc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-83x9-vc3c-hghc/GHSA-83x9-vc3c-hghc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-83x9-vc3c-hghc
- Published
- 2026-05-07T00:07:42Z
- Modified
- 2026-05-07T00:19:58.948308Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths
- Details
-
Description
A flaw was identified in the OpenSearch REST layer that could allow authorization checks to be bypassed when processing certain malformed HTTP requests. This could permit unauthorized access to restricted API endpoints in environments that rely on REST-layer authorization.
Transport-level authorization is not affected by this issue.
Impact
The default OpenSearch distribution is not affected by this issue. REST actions in the default distribution have corresponding transport actions that independently enforce authorization. Custom plugins that register REST actions without a corresponding transport action may be affected, potentially allowing unauthorized read access to those endpoints.
Patches
This issue is fixed in OpenSearch 2.19.0. Users should upgrade to 2.19.0 or later.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-07T00:07:42Z", "cwe_ids": [ "CWE-863" ], "severity": "LOW", "nvd_published_at": null }- References
Affected packages
Maven / org.opensearch.plugin:opensearch-security
Package
- Name
- org.opensearch.plugin:opensearch-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opensearch.plugin/opensearch-security