In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Affected Packages

Maven org.elasticsearch:elasticsearch

Affected versions: 7.11.0 (fixed in 7.11.2)

Maven org.elasticsearch:elasticsearch

Affected versions: 0 (fixed in 6.8.15)

Related CVEs

CVE-2021-22137

Key Information

GHSA ID

GHSA-hr65-qq6p-87r4

Published

May 24, 2022 7:02 PM

Last Modified

June 22, 2022 6:23 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.elasticsearch:elasticsearch

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.