CVE-2026-47216

Vulnerability

An unauthenticated denial-of-service vulnerability exists in the /multi_search endpoint of Typesense prior to versions 29.1 and 30.2. A specially crafted request triggers an unhandled exception during request processing, causing the server process to terminate. The endpoint is accessible over the network without authentication, and the condition requires no special configuration beyond running an affected version [1].

Exploitation

An attacker can exploit this issue by sending a crafted request to the /multi_search endpoint over the network. No authentication or prior access is required. The exact request structure that triggers the unhandled exception has not been publicly detailed, but the attack can be performed remotely without any user interaction [1].

Impact

Successful exploitation results in termination of the Typesense server process, leading to service unavailability. The duration of impact may vary depending on system configuration and dataset size. This vulnerability does not affect data confidentiality or integrity [1].

Mitigation

Typesense has fixed this issue in versions 29.1 and 30.2. Users are strongly advised to upgrade to the patched version closest to their current running version as soon as possible. No workarounds have been disclosed, and there is no indication of this CVE being listed in CISA KEV [1].