Elastic Cloud Enterprise
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Elastic Cloud Enterprise.
By the Year
In 2026 there have been 0 vulnerabilities in Elastic Cloud Enterprise. Last year, in 2025 Elastic Cloud Enterprise had 2 security vulnerabilities published. Right now, Elastic Cloud Enterprise is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 8.95 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.50 |
| 2022 | 2 | 5.90 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 3 | 6.23 |
It may take a day or so for new Elastic Cloud Enterprise vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elastic Cloud Enterprise Security Vulnerabilities
Elastic CE improper auth allows privilege escalation via readonly APIs
CVE-2025-37736
8.8 - High
- November 07, 2025
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name}
AuthZ
CVE-2025-37729: ECE Jinjava Template Injection RCE
CVE-2025-37729
9.1 - Critical
- October 13, 2025
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
1336
Unauthorized OOM via Malformed HTTP Requests in Elasticsearch
CVE-2023-31418
7.5 - High
- October 26, 2023
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.
Resource Exhaustion
ECE <3.1.1 SAML Private Key Exposure via Logs
CVE-2022-23716
5.3 - Medium
- September 28, 2022
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster.
Insertion of Sensitive Information into Log File
Sensitive Data Leak via API Logs in Elastic Cloud Enterprise <3.4
CVE-2022-23715
6.5 - Medium
- August 25, 2022
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore
Insertion of Sensitive Information into Log File
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters
CVE-2018-3825
5.9 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
Insecure Default Initialization of Resource
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability
CVE-2018-3828
7.5 - High
- September 19, 2018
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.
Insertion of Sensitive Information into Log File
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered
CVE-2018-3829
5.3 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
Authentication Bypass by Spoofing
The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper
CVE-2017-8444
- September 28, 2017
The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.
Cleartext Transmission of Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Elastic Cloud Enterprise or by Elastic? Click the Watch button to subscribe.
