Elastic cloud enterprise

This hub aggregates every CVE we track for Elastic cloud enterprise, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 11 most recently published vulnerabilities affecting Elastic cloud enterprise.

• CVE-2025-37736Elastic Cloud Enterprise Improper Authorization8.8Nov 7, 2025
• CVE-2025-37729Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine9.1Oct 13, 2025
• CVE-2024-37282It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated p...8.1Jun 28, 2024
• CVE-2023-31418Elasticsearch uncontrolled resource consumption7.5Oct 26, 2023
• CVE-2022-23716A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster.5.3Sep 28, 2022
• CVE-2022-23715A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log ...6.5Aug 25, 2022
• CVE-2021-22146All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and i...7.5Jul 21, 2021
• CVE-2018-3825In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritte...5.9Sep 19, 2018
• CVE-2018-3828Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords,...7.5Sep 19, 2018
• CVE-2018-3829In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous ...5.3Sep 19, 2018
• CVE-2017-8444The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the cli...5.9Sep 28, 2017