OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths

GHSA-83x9-vc3c-hghc

Published May 7, 2026 · Modified May 7, 2026

Description

A flaw was identified in the OpenSearch REST layer that could allow authorization checks to be bypassed when processing certain malformed HTTP requests. This could permit unauthorized access to restricted API endpoints in environments that rely on REST-layer authorization.

Transport-level authorization is not affected by this issue.

Impact

The default OpenSearch distribution is not affected by this issue. REST actions in the default distribution have corresponding transport actions that independently enforce authorization. Custom plugins that register REST actions without a corresponding transport action may be affected, potentially allowing unauthorized read access to those endpoints.

Patches

This issue is fixed in OpenSearch 2.19.0. Users should upgrade to 2.19.0 or later.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes