HackerOne Disclosed Reports - 2026-06-17

High
resolved

Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql

Bug reported by AB was disclosed at June 17, 2026, 2:17 pm   |   Code Injection

The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sort_query argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the script's return value determined the document ordering in the search results.