CVE-2021-22146

HIGH

Elastic Cloud Enterprise - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-22146. PoCs published by Joan Martinez, magichk.

AI-analyzed exploit summary This exploit leverages CVE-2021-22146 to perform an anonymous database dump in Elasticsearch ECE versions 7.10.0 to 7.13.3. It sends bulk requests to the Elasticsearch API to dump indices without authentication.

Description

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Exploits (2)

exploitdb WORKING POC

by Joan Martinez · pythonwebappsmultiple

https://www.exploit-db.com/exploits/50152

View Code ZIP pw:eip

This exploit leverages CVE-2021-22146 to perform an anonymous database dump in Elasticsearch ECE versions 7.10.0 to 7.13.3. It sends bulk requests to the Elasticsearch API to dump indices without authentication.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Elasticsearch ECE (Cloud) versions >= 7.10.0 to <= 7.13.3

No auth needed

Prerequisites: Network access to the Elasticsearch API endpoint · Elasticsearch ECE instance running a vulnerable version

MITRE ATT&CK

T1087 - Account Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by magichk · poc

https://github.com/magichk/cve-2021-22146

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2021-22146, an information disclosure vulnerability in Elasticsearch ECE versions 7.10.0 to 7.13.3. The exploit sends crafted bulk requests to dump database indices without authentication.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Elasticsearch ECE 7.10.0 to 7.13.3

No auth needed

Prerequisites: Network access to the Elasticsearch ECE instance · Target running a vulnerable version of Elasticsearch ECE

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20210819-0005/

Scores

CVSS v3 7.5

EPSS 0.2779

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Status published

Products (1)

elastic/elasticsearch 7.13.3

Published Jul 21, 2021

Tracked Since Feb 18, 2026