GHSA-22vx-2x23-98w6: OpenSearch vulnerable to improper authorization for Rollover Requests

May 7, 2026

A flaw was identified in the OpenSearch Security plugin’s handling of index rollover requests. When a rollover request included an explicit target index name, the security plugin did not properly evaluate access control permissions against the target index. This could allow a user with rollover permissions on a source index to create a new index with a name they are not authorized to use.

References

github.com/advisories/GHSA-22vx-2x23-98w6
github.com/opensearch-project/security
github.com/opensearch-project/security/security/advisories/GHSA-22vx-2x23-98w6

Code Behaviors & Features

Detect and mitigate GHSA-22vx-2x23-98w6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →