elasticsearch-mcp-server
MCPMCP Server for interacting with Elasticsearch and OpenSearch
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✓ | — |
| OpenAI Agents SDK | ✓ | SSE transport preferred but stdio also works, Complex Dict types in tool parameters may need schema flattening |
| LangChain | ✓ | Tools maintain SearchClient state which is acceptable for LangChain, Dict/JSON parameters are serializable and compatible |
Security findings
Command injection vulnerability in general_api_request tool
src/tools/general.py allows arbitrary HTTP method and path construction without validation. The general_api_request tool accepts user-controlled method, path, and body parameters that are passed directly to httpx requests without sanitization. This could allow SSRF attacks or accessing internal endpoints.
No input validation on Elasticsearch/OpenSearch query bodies
Tools like search_documents, delete_by_query, and index_document accept arbitrary Dict bodies without validation. Malicious queries could cause resource exhaustion (e.g., wildcard queries on large datasets) or access sensitive data through crafted aggregations.
Insufficient path traversal protection in index/stream names
Index names, data stream names, and document IDs are not validated for special characters or patterns. While Elasticsearch has some built-in protections, accepting raw user input without sanitization (e.g., '../', special characters) could bypass intended access controls.
Risk manager can be bypassed by not setting DISABLE_HIGH_RISK_OPERATIONS
src/risk_config.py shows risk filtering is opt-in via environment variable. Default behavior allows all destructive operations (delete_index, delete_document, delete_by_query, etc.). The README doesn't emphasize this as a security control, so most deployments likely run without it enabled.
Overly permissive error messages
No rate limiting or request size limits
Authentication disabled by default for HTTP transports
Reliability
Success rate
72%
Calls made
100
Avg latency
250ms
P95 latency
600ms
Failure modes
- • Missing null/None checks in several tool methods could cause AttributeError when optional parameters are None
- • No validation of input parameters (e.g., empty strings, invalid JSON in 'body' parameters) before passing to search client
- • Exception handling decorator returns TextContent but doesn't validate the underlying client response structure
- • No timeout enforcement at the tool level - relies entirely on client-level timeouts which may not be configured
- • Connection errors to Elasticsearch/OpenSearch are caught but may not provide actionable error messages to callers
- • Risk manager filtering silently returns no-op functions which could confuse callers expecting error messages
- • Unicode/special character handling not explicitly validated - depends on httpx/elasticsearch client behavior
- • No retry logic for transient failures (network issues, temporary service unavailability)
- • Authentication middleware raises ToolError but doesn't distinguish between missing token vs invalid token in machine-readable format
- • GeneralRestClient class truncated in provided code - cannot assess its error handling
Code health
License
Apache-2.0
Has tests
No
Has CI
No
Dependencies
6
Well-structured MCP server with good documentation and organization. Has LICENSE (Apache-2.0), comprehensive README (12KB), CONTRIBUTING guide, and changelog config (cliff.toml). Published to PyPI at version 2.0.19. Uses pyproject.toml for modern Python packaging. Code is modular with separation of concerns (clients, tools, auth). However, lacks test files entirely - no test/ directory or test files found. No CI configuration detected (.github/workflows, etc.). No type hints in Python code (no py.typed marker). The Spring AI MCP client example has a test file but appears minimal. Dependencies include elasticsearch, opensearchpy, fastmcp, httpx, python-dotenv, pydantic - all standard choices. Risk management and auth middleware show security awareness. Missing critical testing infrastructure hurts the score significantly, as does lack of type checking setup despite being a library tool.