EGI SVG Advisories

Advisory-EGI-SVG-2026-20

CRITICAL risk OpenSearch malware

Date: 2026-05-21

Updated: 2026-06-30

DESCRIPTION

CRITICAL risk vulnerability concerning malicious packages having been embedded into four release versions of OpenSearch. See [R 1] [R 2].

IDs AND CVSS SCORE

EGI SVG ID : EGI-SVG-2026-20

CVE ID : N/A

CVSSv3 Score:

ACTIONS REQUIRED/RECOMMENDED

Urgent action is required on hosts running OpenSearch software.

Please consult [R 1] [R 2] and take action on affected hosts, if any, as soon as possible!

Hosts that were running a malware version must be considered compromised. In such cases, please follow up with your institute’s computer security team.

STATUS OF THIS ADVISORY

TLP:CLEAR information - Unlimited distribution

https://advisories.egi.eu/Advisory-EGI-SVG-2026-20

Minor updates may be made without re-distribution to the sites.

CONTACT AND OTHER INFORMATION ON SVG

See [R 99] for further details, and other information on SVG.

REFERENCES

CREDITS

SVG was alerted to this vulnerability by the EGI CSIRT among others