Yesterday, 12:30 PM
High
resolved
resolved
Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql
Bug reported by AB was disclosed at June 17, 2026, 2:17 pm | Code Injection
The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sort_query argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the script's return value determined the document ordering in the search results.