Expected Findings
- `xpack.security.enabled` is false on the cluster.
- `_cat/indices` lists tenant-segmented data.
- `_search` returns documents including credentials and PII.
Search Cluster
Open Elasticsearch
An Elasticsearch cluster is reachable on the public internet with security disabled, so any caller can list indices and pull documents across tenants.
CWE-306CWE-200
ES probe
Primary Flows
- Cluster health Anonymous cluster info
- List indices Index inventory
- Search users Document dump
Signals
Config
xpack.security.enabled: false network.host: 0.0.0.0