Valtik Studios
Back to blog
ElasticsearchcriticalUpdated 2026-04-17orig. 2026-01-0813 min

Elasticsearch: The Open Cluster Epidemic

Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index, and _cluster/settings exposes internal configuration. Thousands of clusters are publicly exposed with customer PII, logs, and credentials. A recurring pattern in data breach forensics and vulnerability assessments.

Phillip (Tre) Bucchi headshot
Phillip (Tre) Bucchi·Founder, Valtik Studios. Penetration Tester

Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.

Shodan still indexes thousands of these every week

Run this Shodan query right now. port:9200 "cluster_name". Scroll. You'll see IP addresses of production Elasticsearch clusters with no authentication enabled, exposing every index to anyone who asks.

This has been true since 2013. Elastic shipped authentication into the free tier in 2021. Operators still deploy clusters on the public internet with the default config. Every major breach post of the last five years has one of these somewhere in the incident.

No authentication by default

Elasticsearch ships with security features disabled. Out of the box, anyone who can reach port 9200 has full access to every index, every document, and every cluster setting. No login prompt, no API key, no authentication of any kind.

The enumeration chain

  1. GET /. confirms Elasticsearch, returns version and cluster name
  2. GET /_cat/indices?v. lists every index with document count and size
  3. GET /{index}/_search?size=1000. dumps up to 1000 documents from any index
  4. GET /_cluster/settings?include_defaults=true. full cluster configuration

What we find in exposed clusters

Elasticsearch is used for logging, search, and analytics. Exposed clusters typically contain:

  • Application logs with full request/response bodies (including auth tokens and passwords)
  • User search history and behavioral analytics
  • Customer PII indexed for search functionality
  • Infrastructure metrics revealing internal architecture

Kibana compounds the problem

Kibana (the Elasticsearch UI) also ships with no authentication. If Kibana is exposed, it provides a visual interface to browse every index, run arbitrary queries, and modify cluster settings.

How we detect this

Our scanner:

  1. Probes port 9200 for the Elasticsearch banner
  2. Requests /_cat/indices to enumerate all indices
  3. Samples documents from the first few indices to assess data sensitivity
  4. Checks for Kibana on port 5601

Defense

  • Enable Elasticsearch Security (X-Pack). it's been free since version 6.8
  • Set xpack.security.enabled: true in elasticsearch.yml
  • Configure TLS for inter-node and client communication
  • Never expose port 9200 or 5601 to the internet
  • Use a reverse proxy with authentication if external access is needed
elasticsearchdata exposureobservabilitydata breachvulnerability assessmentcloud securitypenetration testingresearch

Want us to check your Elasticsearch setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Get new research in your inbox
No spam. No newsletter filler. Only new posts as they publish.
Related Reading
Firebase12 min
Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if t
MinIO10 min
MinIO: When Your S3-Compatible Storage Lists Everything
MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire bu
Sentry11 min
Sentry: Your Error Tracker Is Leaking Secrets
Sentry captures stack traces and error context, which routinely includes API keys, database URLs, and session tokens. Public Sentry orgs lea