← All tools

elasticsearch-mcp-server

MCP

MCP Server for interacting with Elasticsearch and OpenSearch

v2.0.19 Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 4.0
Reliability 6.0
Agent usability 7.0
Compatibility 9.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK SSE transport preferred but stdio also works, Complex Dict types in tool parameters may need schema flattening
LangChain Tools maintain SearchClient state which is acceptable for LangChain, Dict/JSON parameters are serializable and compatible

Security findings

CRITICAL

Command injection vulnerability in general_api_request tool

src/tools/general.py allows arbitrary HTTP method and path construction without validation. The general_api_request tool accepts user-controlled method, path, and body parameters that are passed directly to httpx requests without sanitization. This could allow SSRF attacks or accessing internal endpoints.

HIGH

No input validation on Elasticsearch/OpenSearch query bodies

Tools like search_documents, delete_by_query, and index_document accept arbitrary Dict bodies without validation. Malicious queries could cause resource exhaustion (e.g., wildcard queries on large datasets) or access sensitive data through crafted aggregations.

HIGH

Insufficient path traversal protection in index/stream names

Index names, data stream names, and document IDs are not validated for special characters or patterns. While Elasticsearch has some built-in protections, accepting raw user input without sanitization (e.g., '../', special characters) could bypass intended access controls.

HIGH

Risk manager can be bypassed by not setting DISABLE_HIGH_RISK_OPERATIONS

src/risk_config.py shows risk filtering is opt-in via environment variable. Default behavior allows all destructive operations (delete_index, delete_document, delete_by_query, etc.). The README doesn't emphasize this as a security control, so most deployments likely run without it enabled.

MEDIUM

Overly permissive error messages

MEDIUM

No rate limiting or request size limits

MEDIUM

Authentication disabled by default for HTTP transports

Reliability

Success rate

72%

Calls made

100

Avg latency

250ms

P95 latency

600ms

Failure modes

  • Missing null/None checks in several tool methods could cause AttributeError when optional parameters are None
  • No validation of input parameters (e.g., empty strings, invalid JSON in 'body' parameters) before passing to search client
  • Exception handling decorator returns TextContent but doesn't validate the underlying client response structure
  • No timeout enforcement at the tool level - relies entirely on client-level timeouts which may not be configured
  • Connection errors to Elasticsearch/OpenSearch are caught but may not provide actionable error messages to callers
  • Risk manager filtering silently returns no-op functions which could confuse callers expecting error messages
  • Unicode/special character handling not explicitly validated - depends on httpx/elasticsearch client behavior
  • No retry logic for transient failures (network issues, temporary service unavailability)
  • Authentication middleware raises ToolError but doesn't distinguish between missing token vs invalid token in machine-readable format
  • GeneralRestClient class truncated in provided code - cannot assess its error handling

Code health

License

Apache-2.0

Has tests

No

Has CI

No

Dependencies

6

Well-structured MCP server with good documentation and organization. Has LICENSE (Apache-2.0), comprehensive README (12KB), CONTRIBUTING guide, and changelog config (cliff.toml). Published to PyPI at version 2.0.19. Uses pyproject.toml for modern Python packaging. Code is modular with separation of concerns (clients, tools, auth). However, lacks test files entirely - no test/ directory or test files found. No CI configuration detected (.github/workflows, etc.). No type hints in Python code (no py.typed marker). The Spring AI MCP client example has a test file but appears minimal. Dependencies include elasticsearch, opensearchpy, fastmcp, httpx, python-dotenv, pydantic - all standard choices. Risk management and auth middleware show security awareness. Missing critical testing infrastructure hurts the score significantly, as does lack of type checking setup despite being a library tool.

View source on GitHub →