Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
CVE-2020-7009: Elasticsearch API Keys Can Be Used for Privilege Escalation
GHSA-gfv5-grx2-9jw2
CVE-2020-7009
CVE-2020-7009
Summary
Attackers who can create API keys in Elasticsearch can gain elevated access to the system. This can happen if Elasticsearch versions 6.7.0 to 6.8.7 or 7.0.0 to 7.6.1 are being used. To fix this, update to a non-vulnerable version of Elasticsearch.
What to do
- Update elasticsearch org.elasticsearch:elasticsearch to version 6.8.8.
- Update elasticsearch org.elasticsearch:elasticsearch to version 7.6.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | elasticsearch | org.elasticsearch:elasticsearch |
>= 6.7.0, <= 6.8.7 >= 7.0.0, <= 7.6.1 Fix: upgrade to 6.8.8
|
Original title
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key c...
Original description
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
ghsa CVSS3.1
8.8
Vulnerability type
CWE-266
Incorrect Privilege Assignment
CWE-269
Improper Privilege Management
Published: 31 Mar 2020 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026