This list summarizes the most important breaking changes in Elasticsearch 7.6.2. For the complete list, go to Elasticsearch breaking changes.

Security changesedit

Elasticsearch API key privilegesedit

If you use an API key to create another API key (sometimes called a derived key), its behavior is impacted by the fix for CVE-2020-7009.

When you make a request to create API keys, you can specify an expiration and privileges for the API key. Previously, when you created a derived key, it had no privileges. This behavior disregarded any privileges that you specified in the create API key API.

As of 7.6.2, this behavior changes. To create derived keys with no privileges, you must explicitly specify an empty role descriptor. For example:

...
"role_descriptors": {
    "no-privilege": {
    }
}
...