OpenSearch Security plugin, DLS Bypass, GHSA-x83w-23jp-g6pw (Moderate)

By /

Listen to this Post

How the mentioned CVE works:

  1. The OpenSearch Security plugin implements Document-Level Security (DLS) to restrict user access to specific documents within an index.
  2. Normally, the plugin injects a security filter into queries to enforce these restrictions.
  3. A flaw exists in how the plugin processes the `has_child` or `has_parent` join queries.
  4. These queries are used to link parent and child documents within the same index using the `join` field type.
  5. The root cause is a failure to apply the DLS filter to the sub-queries that power these join relations.
  6. When a user issues a search query containing `has_child` or has_parent, the plugin does not evaluate the DLS rules against the linked documents.
  7. This allows an authenticated, low-privileged user to retrieve documents they should not have access to.
  8. For example, a user with a DLS rule restricting them to only “public” child documents can use a `has_parent` query to access a restricted “internal” parent document.
  9. The bypass is silent, as no errors or warnings are logged.
  10. The flaw affects all versions of OpenSearch between 1.0.0 and 2.19.3, and 3.0.0 to 3.1.0.
  11. It only impacts clusters where DLS is actively configured on an index that also utilizes a `join` field for parent-child relationships.
  12. The vulnerability is rooted in the security plugin’s query rewriting logic, which fails to traverse and secure has_child/has_parent relations.
  13. The impact is a complete bypass of DLS rules, leading to potential data breaches.
  14. A fix is available in OpenSearch versions 2.19.4 and 3.2.0, which corrects the filter application for join queries.
  15. A primary workaround is to avoid using the `join` field type on any index where DLS is enforced.

DailyCVE Form:

Platform: OpenSearch Security Plugin
Version: 1.0.0 – 2.19.3/3.x
Vulnerability : DLS Bypass
Severity: Moderate
date: 2026-04-30

Prediction: 2026-05-15

Analytics – What Undercode Say:

Check for vulnerable OpenSearch versions
curl -s "http://localhost:9200/" | grep -E '"number"[[:space:]]:[[:space:]]"([bash].[0-9]+.?[0-9]|3.[bash].?[0-9])"'
Test DLS configuration (example for a role with has_parent query)
curl -X GET "localhost:9200/your-index/_search?pretty" -H 'Content-Type: application/json' -u 'user:pass' -d'
{
"query": {
"has_parent": {
"parent_type": "restricted_type",
"query": { "match_all": {} }
}
}
}
'

Exploit:

An attacker with valid credentials crafts a search query containing a `has_parent` clause targeting a parent document type protected by DLS. The query bypasses the DLS filter, returning all parent documents.

Protection from this CVE:

Immediately upgrade to OpenSearch version 2.19.4 or 3.2.0. If upgrading is not possible, remove the `join` field type from any index that has DLS rules applied.

Impact:

An authenticated user can read any document in the index, bypassing DLS, leading to unauthorized access to sensitive data, including Personally Identifiable Information (PII) or financial records. The breach is difficult to detect as all requests appear legitimate.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top