top of page
perceptive_background_267k.jpg

Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)

Published:

13 January 2026 at 20:55:33

Alert date:

13 January 2026 at 21:04:42

Source:

discuss.elastic.co

Click to open the original link from this advisory

Database & Storage, Enterprise Applications

An Information Disclosure vulnerability (CVE-2025-66566) exists in the yawkat LZ4 Java library used by Elasticsearch that allows attackers to read previous buffer contents through specially crafted compressed input sent via the transport layer. The vulnerability affects Elasticsearch versions 7.14.0+ through 7.17.29, 8.0.0+ through 8.19.9, and multiple 9.x versions. Users should upgrade to versions 8.19.10, 9.1.10, or 9.2.4. Workarounds include switching to deflate compression or disabling compression entirely. The vulnerability has a high CVSS score of 8.4.

Technical details

Mitigation steps:

Affected products:

Elasticsearch
yawkat LZ4 Java

Related links:

https://discuss.elastic.co/t/elasticsearch-8-19-10-9-1-10-9-2-4-security-update-esa-2026-07/384525

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page