CVE-2024-12539 MEDIUM

CVE-2024-12539: Elasticsearch Incorrect Authorization

Vendor Elastic

Product Elasticsearch

Weakness CWE-863 · Incorrect authorization

Published December 17, 2024

Last update December 17, 2024

View on NVD All CVEs

CVSS base score

6.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

Key dates

02Disclosure timeline

December 17, 2024 CVE published

December 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12539 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2024-6337 Incorrect Authorization allows read access to issues in GitHub Enterprise Server CVE-2024-13281 Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 CVE-2025-8068 HT Mega – Absolute Addons For Elementor <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions CVE-2026-31991 OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist CVE-2024-48911 OpenCanary Executes Commands From Potentially Writable Config File