GHSA-x83w-23jp-g6pw: OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation

May 7, 2026

A flaw was identified in the OpenSearch Security plugin’s document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents that should have been restricted by DLS rules.

References

github.com/advisories/GHSA-x83w-23jp-g6pw
github.com/opensearch-project/security
github.com/opensearch-project/security/security/advisories/GHSA-x83w-23jp-g6pw

Code Behaviors & Features

Detect and mitigate GHSA-x83w-23jp-g6pw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →