Elastic Stack Security Announcements

Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with the GeoIP database downloader enabled and configured to use an external update endpoint are affected. The risk is elevated in configurations where automatic pipeline configuration reloading is enabled and the pipeline configuration directory is writable by the Logstash process. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: Disable the GeoIP database downloader by setting xpack.geoip.downloader.enabled: false in the Logstash configuration. Ensure the GeoIP downloader endpoint uses HTTPS and points to a trusted source. Disable automatic pipeline configuration reloading to prevent code execution via written files. Restrict filesystem write permissions for the Logstash process to only necessary directories. Indicators of Compromise (IOC) Check for unexpected files written outside the GeoIP database directory. Review the filesystem for files that should not exist in pipeline configuration directories or other sensitive locations. Monitor Logstash logs for GeoIP database download activity, particularly downloads from unexpected endpoints. Check for unexplained pipeline configuration files or changes to existing pipeline configurations. Review file integrity monitoring alerts for writes to directories outside the expected GeoIP data path. Severity: CVSSv3.1: High ( 8.1 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2026-33466 Problem Type: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Impact: CAPEC-139 – Relative Path Traversal 1 post – 1 participant Read full topic

Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. Affected Versions: 9.x: All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments running Kibana 9.3.x with the Workflows Execution Engine enabled. Exploitation requires an authenticated user with workflow creation and execution privileges. Solutions and Mitigations: The issue is resolved in version 9.3.3. Indicators of Compromise (IOC) Monitor workflow execution logs for HTTP step executions that result in redirect responses, particularly those targeting internal hosts not on the allowlist. Review Kibana audit logs for workflow execution activity, focusing on HTTP step executions with redirect-following behavior. Monitor network logs for outbound connections from Kibana to unexpected internal hosts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.8 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-33458 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF) 1 post – 1 participant Read full topic

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with the automatic import plugin enabled are affected. The plugin is enabled by default in Kibana 8.15 and later. Exploitation requires an authenticated user with Fleet and Integrations privileges. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. Indicators of Compromise (IOC) Monitor for repeated or concurrent requests to automatic import endpoints from the same user or session, particularly requests with unusually large payloads. Review Kibana audit logs and HTTP access logs for patterns of high-volume requests to automatic import API endpoints. Monitor for HTTP 502 errors that may indicate resource exhaustion caused by exploitation attempts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-33459 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments using Kibana Spaces with Fleet enabled are affected. Exploitation requires that a user has been assigned Fleet agent management privileges in at least one space, while Fleet Server policies exist in other spaces. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: Review Fleet role assignments across spaces and ensure users with Fleet agent privileges are trusted with visibility into Fleet topology across all spaces, or restrict Fleet privileges to trusted users only. Indicators of Compromise (IOC) Review Kibana audit logs for access to Fleet enrollment settings endpoints. Unusual access patterns from users with Fleet agent privileges limited to specific spaces may indicate cross-space enumeration attempts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.3 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE ID: CVE-2026-33460 Problem Type: CWE-863 – Incorrect Authorization Impact: CAPEC-122 – Privilege Abuse 1 post – 1 participant Read full topic

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with Fleet enabled where users have been granted the Fleet Agents privilege without the Fleet Settings. Fleet is available by default in Kibana, but exploitation requires that a user has been explicitly assigned Fleet agent management privileges. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: Review Fleet role assignments and ensure users with Fleet agent privileges are trusted with access to Fleet configuration data, or remove Fleet agent privileges from untrusted users until the upgrade can be applied. Rotate any proxy credentials (private keys, authentication tokens) that may have been exposed through the affected endpoint. Indicators of Compromise (IOC) Review Kibana audit logs for access to Fleet enrollment settings endpoints by users who do not have Fleet settings privileges. Unexpected access patterns from users with only Fleet agent privileges may indicate exploitation. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.7 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-33461 Problem Type: CWE-863 – Incorrect Authorization Impact: CAPEC-122 – Privilege Abuse 1 post – 1 participant Read full topic

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Default State: Fleet is enabled by default in Kibana (xpack.fleet.agents.enabled defaults to true). The debug routes are registered as internal routes when Fleet is active. Configuration Requirement: No non-default configuration is required. The vulnerable routes are available in any standard Kibana deployment with Fleet enabled. Solutions and Mitigations: The issue is resolved in version 8.19.14, 9.2.8, 9.3.3 . For Users that Cannot Upgrade: Restrict Fleet privileges: Review all custom roles that grant Fleet sub-feature privileges (agents_all, agent_policies_all, settings_all) and limit these to only trusted administrative users until a patch is applied. However, users should upgrade to the latest non-vulnerable version. Indicators of Compromise (IOC) If Kibana audit logging is enabled (xpack.security.audit.enabled: true), the following detection strategies can be used: Search for requests to Fleet debug routes: Look for HTTP request audit events targeting paths matching /internal/fleet/debug/index or /internal/fleet/debug/saved_objects in Kibana audit logs. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.7 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-4498 Problem Type: CWE-250 – Execution with Unnecessary Privileges Impact: CAPEC-122 – Privilege Abuse 1 post – 1 participant Read full topic

Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component (CWE-1395) exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to perform remote code execution via Object Injection (CAPEC-586). Exploitation requires an attacker with network access to a reachable RMI endpoint on an instrumented JVM that triggers the known vulnerability CVE-2026-33701 / GHSA-xw7x-h9fj-p2c7. Affected Versions: All Elastic OTel Java versions up to and including 1.9.0 Affected Configurations: This vulnerability requires all three of the following conditions to be true: Elastic OTel Java is attached to the application as a Java agent (-javaagent) An RMI endpoint is network-reachable (e.g., JMX remote port, an RMI registry, or any application-exported RMI service) A gadget-chain-compatible library is present on the application’s classpath Deployments that do not expose RMI endpoints to the network, or that do not have gadget-chain-compatible libraries on the classpath, are not exploitable. Solutions and Mitigations: The issue is resolved in version 1.10.0, which updates the embedded OpenTelemetry Java instrumentation to version 2.26.1. For Users that Cannot Upgrade: Disable the RMI instrumentation by setting the following JVM system property: -Dotel.instrumentation.rmi.enabled=false This workaround applies to both self-managed and Kubernetes-based deployments. When using the OpenTelemetry Operator for auto-instrumentation on Kubernetes, this property can be added via the Instrumentation object’s environment configuration or through the JAVA_TOOL_OPTIONS environment variable on the instrumented Pod. Indicators of Compromise (IOC) Monitor for the following indicators: Unexpected inbound network connections to RMI or JMX ports on instrumented JVMs Unusual process execution or child processes spawned by the instrumented JVM Anomalous deserialization activity in application or JVM logs, particularly stack traces referencing RMI endpoints Severity: CVSSv4.0: Critical ( 9.3 ) – CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE ID: CVE-2026-33701 GHSA: GHSA-xw7x-h9fj-p2c7 Problem Type: CWE-1395 – Dependency on Vulnerable Third-Party Component 1 post – 1 participant Read full topic

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.12 9.x: All versions from 9.0.0 up to and including 9.2.6 All versions from 9.3.0 up to and including 9.3.1 Affected Configurations: The Timelion visualization plugin (visTypeTimelion) is enabled by default in Kibana and is listed under “Legacy editors” in the documentation. Solutions and Mitigations: The issue is resolved in version 8.19.13, 9.2.7, 9.3.2. For Users that Cannot Upgrade: Self-hosted Users can set this property in the Kibana config YAML file vis_type_timelion.enabled: false Cloud There are no workaround Indicators of Compromise (IOC) Look for JavaScript heap out of memory or FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed errors in Kibana server logs, which indicate the Node.js process crashed due to memory exhaustion. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26940 Problem Type: CWE-1284 – Improper Validation of Specified Quantity in Input Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Deserialization of Untrusted Data in Elasticsearch Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component (CWE-1395) exists in PyTorch used by the machine learning model loading component in Elasticsearch that can allow an attacker to achieve remote code execution via Object Injection (CAPEC-586). Exploitation requires an attacker to have high-privileged access (the machine_learning_admin role) to upload and deploy a specially crafted, malicious model to the Elasticsearch cluster that triggers known vulnerabilities CVE-2025-32434. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.7 9.x: All versions from 9.0.0 up to and including 9.1.7 Versions 9.2.0+ were never affected Affected Configurations: The vulnerability affects Elasticsearch deployments that have ML nodes and where PyTorch-based NLP models can be uploaded and deployed. Solutions and Mitigations: The issue is resolved in version 8.19.8, 9.1.8. For Users that Cannot Upgrade: Ensure that only trusted users are granted the machine_learning_admin role. Revoke this role from any users who do not have a legitimate need to upload or manage ML models. Disable ML entirely: If ML functionality is not required, set xpack.ml.enabled: false in elasticsearch.yml on all nodes. Note that this disables all ML features, not just PyTorch model loading. Only use models from trusted sources: As stated in the official Elastic documentation: “PyTorch models can execute code on your Elasticsearch server, exposing your cluster to potential security vulnerabilities. Only use models from trusted sources and never use models from unverified or unknown providers.” Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.2 ) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2025-32434 Problem Type: CWE-502 – Deserialization of Untrusted Data Impact: CAPEC-586 – Object Injection 1 post – 1 participant Read full topic

Improper Validation of Array Index in Packetbeat Leading to Denial of Service Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: Packetbeat protocol parsing is enabled by default for configured protocols. Network traffic capture requires explicit configuration of network interfaces and protocols to monitor in packetbeat.yml. The vulnerable parsers are only active when their respective protocols are explicitly enabled in the configuration. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: Network Segmentation: Ensure Packetbeat instances only monitor trusted network segments and implement network-level controls to prevent untrusted sources from sending traffic to monitored interfaces. This will reduce the likelihood of exploitation. Indicators of Compromise (IOC) Frequent panic/crash events in Packetbeat logs Error messages related to index out of range or slice bounds violations Repeated restarts of the Packetbeat process Severity: CVSSv3.1: Medium ( 5.7 ) – CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26933 Problem Type: CWE-129 – Improper Validation of Array Index Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130). Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.12 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: The Prometheus remote_write module is not enabled by default in Metricbeat, so this issue only affects users who have enabled it. Solutions and Mitigations: The issue is resolved in version 8.19.13, 9.2.5 . For Users that Cannot Upgrade: Disable the remote_write module if it is not required for operations: Remove or comment out the Prometheus remote_write configuration block in metricbeat.yml Restart Metricbeat to apply changes Restrict network access using firewall rules or network policies: Limit access to the remote_write endpoint to trusted Prometheus server IP addresses only Use host: “localhost” binding if the Prometheus server runs on the same host Indicators of Compromise (IOC) Log Patterns: Metricbeat process termination with “out of memory” messages in system logs Repeated Metricbeat crashes or restarts when the Prometheus remote_write module is enabled OOM events in kernel logs dmesg or container orchestration logs targeting the Metricbeat process Audit Trail Indicators: Sudden memory consumption spikes in Metricbeat process metrics immediately preceding process termination Network connections from unexpected or unauthorized source IP addresses to the remote_write endpoint port Severity: CVSSv3.1: Medium ( 5.7 ) – CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26931 Problem Type: CWE-789 – Memory Allocation with Excessive Size Value Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Sensitive Information in Resource Not Removed Before Reuse in Logstash Leading to Access to Sensitive Information Dependency on Vulnerable Third-Party Component (CWE-1395) exists in org.lz4:lz4-java decompression library used by logstash-integration-kafka plugin in Logstash that could allow an attacker to access sensitive information from previous buffer contents via Input Data Manipulation (CAPEC-153). Exploitation requires the attacker to produce specially crafted, malformed compressed input to a Kafka topic consumed by Logstash, causing the decompression process to expose residual data from reused output buffers that were not cleared between operations – CVE-2025-66566. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Affected Configurations: This vulnerability is limited to Logstash deployments that have the logstash-integration-kafka plugin configured to consume from a Kafka topic to which the attacker can publish messages. The attacker requires network access to the Kafka cluster and sufficient Kafka-level permissions (e.g., Kafka ACLs, if configured) to publish messages to the target topic. Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: The attacker requires network access to the Kafka cluster and sufficient Kafka-level permissions (e.g., Kafka ACLs, if configured) to publish messages to the target topic. Manually update the logstash-integration-kafka plugin to version 11.8.1 or higher using: bin/logstash-plugin update logstash-integration-kafka Severity: CVSSv3.1: Medium ( 5.9 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2025-66566 Problem Type: CWE-226 – Sensitive Information in Resource Not Removed Before Reuse Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.11 9.x: All versions from 9.0.0 up to and including 9.2.5 Version 9.3.0 Affected Configurations: Automated response actions require the appropriate Elastic Stack subscription or Serverless project feature tier, and hosts must have Elastic Agent installed with the Elastic Defend integration. Automated response actions are not enabled by default on detection rules. A user must explicitly configure them. However, the Elastic Defend feature privileges (Host Isolation, Process Operations) are set to None by default for new roles, meaning most users should not have these privileges unless explicitly granted. The vulnerability allows users without these privileges to bypass the restriction. The Update API is only vulnerable when response actions are being added to an existing rule that does not already have any response actions. If the rule already contains response actions, the existing authorization logic was applied. Solutions and Mitigations: The issue is resolved in version 8.19.12, 9.2.6, 9.3.1. For Users that Cannot Upgrade: Update to the patched version as soon as possible. In the interim, restrict detection rule management privileges to users who are also authorized for endpoint response actions. Review existing rules for any unauthorized response action configurations that may have been added. Indicators of Compromise (IOC) Audit all detection rules for response_actions configurations containing .endpoint action types (isolate, kill-process, suspend-process) that may have been added by unauthorized users. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE ID: CVE-2026-26939 Problem Type: CWE-862 – Missing Authorization Impact: Accessing Functionality Not Properly Constrained by ACLs – CAPEC-1 1 post – 1 participant Read full topic

Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF) Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege. Affected Versions: 9.x: Version 9.3.0 Affected Configurations: The workflows feature is turned off by default, as its in technical preview in version 9.3.0. The feature needs to be specifically enabled within Advanced Settings. Solutions and Mitigations: The issue is resolved in version 9.3.1. For Users that Cannot Upgrade: Disable workflows https://www.elastic.co/docs/explore-analyze/workflows/setup Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 8.6 ) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-26938 Problem Type: CWE-1336 – Improper Neutralization of Special Elements Used in a Template Engine Impact: CAPEC-242 – Code Injection 1 post – 1 participant Read full topic

Dependency on Vulnerable Third-Party Component in Synthetics Recorder Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component (CWE-1395) exists in the bundled Chromium browser in Elastic Synthetics Recorder that could allow an attacker to achieve remote code execution on a user’s system. Exploitation requires a user to navigate the Synthetics Recorder’s built-in browser to a malicious or compromised website, which serves specially crafted, malformed content that triggers known vulnerabilities – CVE-2025-6554 and CVE-2025-7657. Affected Versions: All versions before 1.4.14 Solutions and Mitigations: The issue is resolved in version 1.4.15. Severity: CVSSv3.1: High ( 7.5 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE ID: CVE-2025-6554 and CVE-2025-7657 1 post – 1 participant Read full topic

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: Timelion is a legacy visualization feature that is available by default in Kibana installations. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: Self Managed Customers who do not use Timelion visualizations can disable the plugin by adding the following to kibana.yml vis_type_timelion.enabled: false Cloud Disabling this plugin in Elastic Cloud Hosted environments is not possible. Customers on Elastic Cloud Hosted should prioritize upgrading to a patched version. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26937 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492). Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: The Elastic AI Assistant for Security is not enabled by default in Kibana. Users must explicitly configure an AI connector (e.g., OpenAI, Amazon Bedrock, or Elastic Managed LLM) and enable the AI Assistant feature from the GenAI Settings page. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: If the AI Assistant has been enabled with custom anonymization rules: Disable Custom Anonymization Rules: Navigate to Security AI settings → Anonymization tab in Kibana and disable all custom anonymization rules. This prevents the vulnerable regex processing pipeline from executing. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.9 ) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26936 Problem Type: CWE-1333 – Inefficient Regular Expression Complexity Impact: CAPEC-492 – Regular Expression Exponential Blowup 1 post – 1 participant Read full topic

Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) Affected Versions: 8.x: All versions from 8.4.0 up to and including 8.19.11 9.x: All versions from 9.0.0 up to and including 9.2.5 Version 9.3.0 Affected Configurations: Users that have not configured Content Connectors are not affected by this vulnerability, as the vulnerable endpoint is only accessible when connectors exist in the deployment. Solutions and Mitigations: The issue is resolved in version 8.19.12, 9.2.6, 9.3.1. For Users that Cannot Upgrade: Restrict Access to Content Connectors: Modify user roles to remove access to the Content Connectors feature for users who do not require it. This can be accomplished by: Creating custom roles that exclude Kibana privileges for Content Connectors Removing the viewer role from users who do not need Content Connectors access Implementing more granular feature-level privileges Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) -CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26935 Problem Type: CWE-20 – Improper Input Validation Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing. Affected Versions: 8.x: All versions from 8.18.0 up to and including 8.19.11 9.x: All versions from 9.0.0 up to and including 9.2.5 Version 9.3.0 Affected Configurations: Index Management is enabled by default in Kibana and does not require specific configuration to be active. This vulnerability requires authentication. The attacker must have valid Kibana credentials where access with view-only privileges (such as the built-in viewer role) can cause the crash. Solutions and Mitigations: The issue is resolved in version 8.19.12, 9.2.6, 9.3.1. For Users that Cannot Upgrade: The most effective mitigation is to apply the security patch as soon as possible. In the interim, customers could: Monitor Kibana server resource utilization closely Restrict authenticated access to Kibana to trusted users only Consider implementing application-layer request size limits if feasible in their environment Indicators of Compromise (IOC) Search for POST requests with unusually large request body sizes (e.g., greater than 100KB). Monitor for sudden spikes in Kibana server CPU utilization, memory consumption, or unresponsiveness coinciding with requests to the enrich policies endpoint. Check system logs for Kibana process crashes or restarts that correlate with suspicious API requests. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26934 Problem Type: CWE-1284 – Improper Validation of Specified Quantity in Input Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Improper Validation of Array Index in Packetbeat Leading to Denial of Service Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: This vulnerability only affects Packetbeat deployments where: The pgsql protocol type has been explicitly configured in packetbeat.yml and the Packetbeat instance is monitoring network traffic on an interface where PostgreSQL protocol traffic is present Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: Disable the pgsql protocol parser by removing or commenting out the pgsql configuration in packetbeat.yml Indicators of Compromise (IOC) Packetbeat process terminations with panic messages containing: “runtime error: index out of range” “panic: runtime error” Stack traces referencing packetbeat/protos/pgsql/parse.go Severity: CVSSv3.1: Medium ( 5.7 ) – CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26932 Problem Type: CWE-129 – Improper Validation of Array Index Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic

Elasticsearch yawkat LZ4 Java – CVE-2025-66566 (ESA-2026-07) An Information Disclosure vulnerability (CVE-2025-66566) exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport layer. Affected Versions: 7.x: All versions from 7.14.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: Users should upgrade to version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: Self-hosted For users who cannot upgrade immediately, the following workarounds can be applied to elasticsearch.yml. Note that these changes require a node restart to take effect. Switch to Deflate: The LZ4 Java decompressor can be bypassed by switching the transport compression scheme to deflate: transport.compression_scheme: deflate Disable Compression: Compression can be disabled entirely, though this will result in increased network bandwidth usage: transport.compress: false Cross-Cluster Settings: If utilizing cross-cluster search or replication, apply the mitigation to remote connections: cluster.remote.<cluster_alias>.transport.compression_scheme: deflate Cloud For users on Elastic Cloud who cannot upgrade immediately: Configuration: The transport.compression_scheme setting can be configured by users in the Cloud Console for versions 7.17.0 and later. Users can switch the scheme to deflate or disable compression via the user settings block. Remote Clusters: While users cannot configure cluster.remote.<cluster_alias>.transport.compression_scheme directly in the Cloud UI, remote cluster connections will automatically inherit the global transport.compression_scheme setting. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High (8.4) – CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2025-66566 1 post – 1 participant Read full topic

External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector (ESA-2026-05) External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: Users should upgrade to version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: Customers who cannot upgrade, can disable the connector type via setting the appropriate value to xpack.actions.enabledActionTypes in Kibana configuration. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High (8.6) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-0532 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF), CWE-73 – External Control of File Name or Path Impact: CAPEC-664 – Server-Side Request Forgery (SSRF), CAPEC-76 – Manipulating Web Input to File System Calls 1 post – 1 participant Read full topic

Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation (ESA-2026-08) Improper Input Validation (CWE-20) in Kibana’s Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0543 Problem Type: CWE-20 – Improper Input Validation Impact: CAPEC-664 – Excessive Allocation 1 post – 1 participant Read full topic

Allocation of Resources Without Limits or Throttling in Kibana Fleet (ESA-2026-04) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. Affected Versions: 7.x: All versions from 7.10.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: There are no workarounds Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0531 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation (ESA-2026-03) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. Affected Versions: 7.x: All versions from 7.10.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0530 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic