High
resolved
resolved
Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql
Bug reported by AB was disclosed at June 17, 2026, 2:17 pm | Code Injection
The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sort_query argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the script's return value determined the document ordering in the search results.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
