Listen to this Post
The vulnerability stems from a flaw in the OpenSearch Security plugin when processing index rollover requests. Normally, an index rollover operation moves an alias from an existing index to a newly created index. The request can explicitly name the target index. Due to missing permission checks on the target index, a user with `indices:admin/rollover` permission on the source index (or a pattern matching it) is not required to have any `indices:admin/create` or `indices:admin/auto_create` permission on the target index name. The security plugin fails to evaluate access control lists (ACLs) for the target index during the rollover request. As a result, an authorized user can create an index with a name that lies outside any index pattern they are allowed to access.
The attack can be mounted by any authenticated user who already has rollover privileges on a source index pattern. The attacker sends a rollover request that includes an explicit target index name, which is not restricted by their role’s index patterns. The security plugin bypasses the authorization check for that target name and proceeds to create the index, even though the user has no permissions to create or write to that index.
The issue is limited to index creation via the rollover API. It does not grant any read, write, or delete permissions on existing indices. The impact is the creation of arbitrary indices outside authorized patterns. The flaw affects all OpenSearch versions from 1.0.0 up to 2.19.3, and all 3.0.0 versions up to 3.1.0.
DailyCVE Form
Platform: OpenSearch
Version: 1.0.0–2.19.3,3.0.0–3.1.0
Vulnerability: Improper Authorization
Severity: Low
Date: May 7, 2026
Prediction: May 10, 2026
What Undercode Say:
Check your OpenSearch version curl -s -XGET 'localhost:9200' | jq '.version.number'
Simulate the vulnerability
Attacker with rollover permission on 'source-' tries to roll over to 'restricted-index'
curl -XPOST 'localhost:9200/source-alias/_rollover' -H 'Content-Type: application/json' -d'
{
"target_index_name": "restricted-index"
}'
Python script to audit indices:admin/rollover permissions
import requests
roles = requests.get('https://localhost:9200/_plugins/_security/api/roles', auth=('admin', 'admin'), verify=False)
for r in roles.json():
if 'indices:admin/rollover' in roles.json()[bash]['cluster_permissions']:
print(f"Warning: Role '{r}' has high-risk rollover permission")
Protection: Remove risky permission (example)
curl -XPUT 'localhost:9200/_plugins/_security/api/roles/my_secure_role' -H 'Content-Type: application/json' -d'
{
"cluster_permissions": [],
"index_permissions": [{
"index_patterns": ["logs-"],
"allowed_actions": ["read", "write"]
}]
}'
Exploit:
- Authenticate as a user who has `indices:admin/rollover` on a source index pattern (e.g.,
logs-). - Identify an existing alias that points to an index matching that pattern (e.g.,
logs-2026.05.06). - Send a `POST /
/_rollover` request with an explicit `target_index_name` that is not allowed by the user’s index patterns (e.g., secret-finance). - The security plugin creates the new index with the forbidden name, bypassing authorization checks.
Protection from this CVE
- Upgrade to OpenSearch 2.19.4 (or 3.2.0) or later.
- Workaround: Grant the `indices:admin/rollover` permission only to fully trusted users.
- Restrict rollover requests to indices that use system-generated names instead of explicit user‑supplied target names.
- Use an API gateway or request validator to block rollover requests that contain a `target_index_name` field.
Impact
- Unauthorized index creation: An attacker can create indices with arbitrary names, potentially interfering with log rotation or index lifecycle management.
- Bypass of index‑pattern restrictions: The attacker can create indices that are not covered by any role’s allowed index patterns, violating least‑privilege policies.
- Low severity, limited scope: The impact is restricted to index creation; no read, write, or delete operations are allowed on existing indices.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
