Security Announcements – Discuss the Elastic Stack Topics in the ‘Security Announcements’ category Security announcements for the Elastic stack.
- Kibana 7.17.15, 8.11.1 Security Update (ESA-2026-53)by kruskall on July 1, 2026 at 2:05 pm
Improper Output Neutralization for Logs in Kibana Leading to Log Injection Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data. Affected Versions: 7.x: All versions up to and including 7.17.14 8.x: All versions from 8.0.0 up to and including 8.11.0 Affected Configurations: All configurations are affected. Solutions and Mitigations: The issue is resolved in version 7.17.15 and 8.11.1. For Users that Cannot Upgrade: Self-Managed: View Kibana log files only in tools that do not interpret terminal control sequences. Cloud: The same guidance applies to Elastic Cloud Hosted deployments. Indicators of Compromise (IOC) Inspect log files for unexpected terminal control or escape sequences. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 8.0 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE ID: CVE-2026-49091 Problem Type: CWE-117 – Improper Output Neutralization for Logs Impact: CAPEC-93 – Log Injection-Tampering-Forging 1 post – 1 participant Read full topic
- Elasticsearch 7.17.24, 8.15.0 Security Update (ESA-2026-52)by kruskall on July 1, 2026 at 2:04 pm
Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests. Affected Versions: 7.x: All versions up to and including 7.17.23 8.x: All versions from 8.0.0 up to but not including 8.15.0 Affected Configurations: All configurations are affected. Exploitation requires an authenticated account able to submit requests to the bulk API. Solutions and Mitigations: The issue is resolved in version 7.17.24 and 8.15.0. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-49090 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Kibana 8.16.3, 8.17.2 Security Update (ESA-2026-51)by kruskall on July 1, 2026 at 2:03 pm
Authorization Bypass Through User-Controlled Key in Kibana Leading to Unauthorized Data Modification Authorization Bypass Through User-Controlled Key (CWE-639) in Kibana can lead to unauthorized data modification via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, an authenticated user could reference another user’s AI Assistant conversation identifier to access or modify a conversation they do not own. Successful exploitation requires knowledge of a hard-to-guess identifier. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.16.2 All versions from 8.17.0 up to and including 8.17.1 Affected Configurations: Affects deployments that use the AI Assistant. Exploitation requires an authenticated account with access to the AI Assistant. Solutions and Mitigations: The issue is resolved in version 8.16.3 and 8.17.2. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.2 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE ID: CVE-2026-49089 Problem Type: CWE-639 – Authorization Bypass Through User-Controlled Key Impact: CAPEC-1 – Accessing Functionality Not Properly Constrained by ACLs 1 post – 1 participant Read full topic
- Kibana 8.18.9, 8.19.6, 9.0.8, 9.1.6 Security Update (ESA-2026-50)by kruskall on July 1, 2026 at 2:02 pm
Insertion of Sensitive Information into Log File in Kibana Leading to Information Disclosure Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.18.8 All versions from 8.19.0 up to and including 8.19.5 9.x: All versions from 9.0.0 up to and including 9.0.7 All versions from 9.1.0 up to and including 9.1.5 (9.2.0 and later not affected) Affected Configurations: Affects deployments that explicitly enable APM instrumentation. Deployments without APM instrumentation enabled are not affected. Solutions and Mitigations: The issue is resolved in version 8.18.9, 8.19.6, 9.0.8, and 9.1.6. For Users that Cannot Upgrade: Self-Managed: Disable the optional APM instrumentation until the deployment is upgraded. Cloud: This issue was remediated on Elastic-managed infrastructure prior to disclosure; for self-configured Elastic Cloud Hosted deployments, disable the optional APM instrumentation until upgraded. Indicators of Compromise (IOC) Inspect application logs for recorded request header values (including Cookie values); their presence indicates exposure. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.4 ) – CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2026-49088 Problem Type: CWE-532 – Insertion of Sensitive Information into Log File 1 post – 1 participant Read full topic
- Kibana 8.19.15, 9.3.4 Security Update (ESA-2026-49)by kruskall on July 1, 2026 at 1:59 pm
Allocation of Resources Without Limits or Throttling in Kibana Leading to Denial of Service Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.14 9.x: All versions from 9.0.0 up to and including 9.3.3 (9.4.0 and later not affected) Affected Configurations: Affects deployments that use the Timeline feature. Exploitation requires an authenticated account with access to Timeline. Solutions and Mitigations: The issue is resolved in version 8.19.15, and 9.3.4. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-49087 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Elastic Defend 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-46)by kruskall on July 1, 2026 at 1:57 pm
Incorrect Authorization in Elastic Defend Leading to Information Disclosure Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view. Affected Versions: 8.x: All versions from 8.6.0 up to and including 8.19.12 9.x: All versions from 9.0.0 up to and including 9.2.6 All versions from 9.3.0 up to and including 9.3.1 (9.4.0 and later not affected) Affected Configurations: Affects deployments that use Elastic Defend response actions. Solutions and Mitigations: The issue is resolved in version 8.19.13, 9.2.7, and 9.3.2. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 5.3 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2026-56152 Problem Type: CWE-863 – Incorrect Authorization Impact: CAPEC-1 – Accessing Functionality Not Properly Constrained by ACLs 1 post – 1 participant Read full topic
- Kibana 8.19.17, 9.3.6, 9.4.3 Security Update (ESA-2026-45)by kruskall on July 1, 2026 at 1:56 pm
Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.16 9.x: All versions from 9.0.0 up to and including 9.3.5 All versions from 9.4.0 up to and including 9.4.2 Affected Configurations: Affects deployments that use Fleet. Exploitation requires an authenticated account with privileges to manage Fleet policies. Solutions and Mitigations: The issue is resolved in version 8.19.17, 9.3.6, and 9.4.3. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-56151 Problem Type: CWE-20 – Improper Input Validation Impact: CAPEC-153 – Input Data Manipulation 1 post – 1 participant Read full topic
- Fleet Server 8.19.11, 9.2.5, 9.3.0 Security Update (ESA-2026-44)by kruskall on July 1, 2026 at 1:53 pm
Allocation of Resources Without Limits or Throttling in Fleet Server Leading to Denial of Service Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: All configurations are affected. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5, and 9.3.0. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-56150 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Elasticsearch 8.19.17, 9.3.6, 9.4.3 Security Update (ESA-2026-43)by kruskall on July 1, 2026 at 1:51 pm
Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.16 9.x: All versions from 9.0.0 up to and including 9.3.5 All versions from 9.4.0 up to and including 9.4.2 Affected Configurations: Affects deployments that use machine learning. Exploitation requires an account with privileges to create or manage trained models. Solutions and Mitigations: The issue is resolved in version 8.19.17, 9.3.6, and 9.4.3. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.9 ) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-56149 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Elasticsearch 8.19.17, 9.3.6, 9.4.3 Security Update (ESA-2026-42)by kruskall on July 1, 2026 at 1:50 pm
Uncontrolled Recursion in Elasticsearch Leading to Denial of Service Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.16 9.x: All versions from 9.0.0 up to and including 9.4.2 The 9.3 release line is affected up to and including 9.3.5 Affected Configurations: All configurations are affected. Exploitation requires an authenticated account with privileges to submit queries; no administrative privileges are required. Solutions and Mitigations: The issue is resolved in versions 8.19.17, 9.3.6, and 9.4.3. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-56148 Problem Type: CWE-674 – Uncontrolled Recursion Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Fleet Server 8.19.15, 9.3.4, 9.4.0 Security Update (ESA-2026-41)by kruskall on July 1, 2026 at 1:48 pm
Dependency on Vulnerable Third-Party Component in Fleet Server Leading to Denial of Service Dependency on Vulnerable Third-Party Component (CWE-1395) exists in the Go standard library used by Fleet Server that could allow a remote attacker to cause denial of service by sending a specially crafted payload that triggers the known vulnerability CVE-2026-32283. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.14 9.x: All versions from 9.0.0 up to and including 9.3.3 Affected Configurations: All configurations are affected. Solutions and Mitigations: The issue is resolved in Fleet Server versions 8.19.15, 9.3.4, and 9.4.0. For Users that Cannot Upgrade: Self-Managed Restrict network-level access to Fleet Server to trusted hosts and IP ranges only. Cloud Elastic Cloud Hosted deployments of Fleet Server are managed by Elastic. Contact Elastic Support if you require immediate assistance prior to the fix being applied. Indicators of Compromise (IOC) No specific indicators of compromise have been identified for this vulnerability. Severity: CVSSv3.1: High ( 7.5 ) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-32283 Problem Type: CWE-1395 – Dependency on Vulnerable Third-Party Component 1 post – 1 participant Read full topic
- Kibana 9.3.3 Security Update (ESA-2026-40)by ismisepaul on May 28, 2026 at 7:26 pm
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block. Affected Versions: 9.x: All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: This issue applies to Kibana deployments where xpack.actions.allowedHosts is configured to a non-wildcard value as a network egress control. Deployments using the default [“*”] setting do not enforce an allowlist and are not affected by the bypass described in this advisory. Solutions and Mitigations: The issue is resolved in versions 9.3.3. For Users that Cannot Upgrade: Restrict connector management privileges Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.3 ) – AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-49093 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF) 1 post – 1 participant Read full topic
- Kibana 8.19.16 Security Update (ESA-2026-39)by ismisepaul on May 28, 2026 at 7:26 pm
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 Affected Configurations: Self-managed and Elastic Cloud Hosted Kibana deployments with the behavioral analytics collections feature available are affected. This vulnerability does not affect Elastic Cloud Serverless. Solutions and Mitigations: The issue is resolved in versions 8.19.16. For Users that Cannot Upgrade: Restrict access to the behavioral analytics collections feature by limiting the relevant Kibana feature privilege. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-49094 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Kibana Fleet 8.19.16, 9.3.5, and 9.4.2 Security Update (ESA-2026-38)by ismisepaul on May 28, 2026 at 7:26 pm
Improper Input Validation in Kibana Fleet Leading to Privilege Escalation Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 All versions from 9.4.0 up to and including 9.4.1 Affected Configurations: Kibana deployments with the Fleet feature enabled where users have been granted the Fleet management application privilege (fleet-all) are affected. Solutions and Mitigations: The issue is resolved in versions 8.19.16, 9.3.5, and 9.4.2. For Users that Cannot Upgrade: Restrict the fleet-all Kibana application privilege. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.2 ) – AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE ID: CVE-2026-49095 Problem Type: CWE-20 – Improper Input Validation 1 post – 1 participant Read full topic
- Kibana 9.2.8, and 9.3.2 Security Update (ESA-2026-37)by ismisepaul on May 28, 2026 at 7:25 pm
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block. Affected Versions: 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.1 Affected Configurations: Kibana deployments where the xpack.actions.allowedHosts setting is configured to restrict outbound connector connections (i.e., not set to the wildcard value) and where users have been granted connector management privileges are affected. Solutions and Mitigations: The issue is resolved in versions 9.2.8, and 9.3.2. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.7 ) – AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-42398 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF) 1 post – 1 participant Read full topic
- Kibana 8.19.16, and 9.3.5 Security Update (ESA-2026-36)by ismisepaul on May 28, 2026 at 7:25 pm
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 Affected Configurations: All Kibana deployments (self-managed and Elastic Cloud Hosted) where authenticated users have access to the Timelion visualization feature are affected. Solutions and Mitigations: The issue is resolved in versions 8.19.16, and 9.3.5. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-42399 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Kibana 8.19.16, 9.3.5, 9.4.2 Security Update (ESA-2026-35)by ismisepaul on May 28, 2026 at 7:25 pm
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 All versions from 9.4.0 up to and including 9.4.1 Affected Configurations: All configurations of Kibana accessible to authenticated users are affected. Solutions and Mitigations: The issue is resolved in versions 8.19.16, 9.3.5, and 9.4.2. For Users that Cannot Upgrade: There are no workarounds for this vulnerability. Indicators of Compromise (IOC) Users can monitor for unusual spikes in Kibana memory and CPU utilization, unexpected Kibana process crashes or restarts, and an abnormal volume of large compressed requests in Kibana’s access logs. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-42400 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Kibana 8.19.16, 9.3.5 Security Update (ESA-2026-34)by ismisepaul on May 28, 2026 at 7:25 pm
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user’s browser session. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 Affected Configurations: This is a self-hosted plugin, so no cloud deployment is affected. Solutions and Mitigations: The issue is resolved in Kibana versions 8.19.16, 9.3.5. Severity: CVSSv3.1: Medium ( 4.1 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N CVE ID: CVE-2026-42401 Problem Type: CWE-79 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 1 post – 1 participant Read full topic
- 8.19.16, 9.3.5 Security Update (ESA-2026-33)by ismisepaul on May 28, 2026 at 7:24 pm
Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 Affected Configurations: Kibana deployments that make use of the public file sharing feature to issue time-bounded download links are affected. Deployments that do not issue public share tokens are not impacted. Solutions and Mitigations: The issue is resolved in Kibana versions 8.19.16, 9.3.5. For Users that Cannot Upgrade: Revoke any active public file share tokens and avoid issuing new public shares until the upgrade has been applied. Where feasible, restrict access to file-sharing functionality to trusted administrators only. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 5.3 ) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE ID: CVE-2026-33463 Problem Type: CWE-672 – Operation on a Resource after Expiration or Termination 1 post – 1 participant Read full topic
- Kibana 8.19.16, 9.3.5, 9.4.1 Security Update (ESA-2026-32)by ismisepaul on May 28, 2026 at 7:24 pm
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 Version 9.4.0 Affected Configurations: All Kibana deployments where untrusted users hold authenticated access at the Viewer role or higher are affected. Solutions and Mitigations: The issue is resolved in Kibana version 8.19.16, 9.3.5, 9.4.1 Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-33464 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic
- Kibana 8.19.16 and 9.3.5 Security Update (ESA-2026-30)by ismisepaul on May 28, 2026 at 7:24 pm
Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts A path traversal vulnerability was identified in Kibana’s dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.15 9.x: All versions from 9.0.0 up to and including 9.3.4 Affected Configurations: Kibana instances where untrusted users hold dashboard creation permissions and administrators perform dashboard deletion operations. Solutions and Mitigations: The issue is resolved in Kibana version 8.19.16 and 9.3.5. For Users that Cannot Upgrade: Restrict dashboard creation permissions to trusted users only. Limit the Analytics > Dashboard > All permission to authorized personnel to reduce the risk of a malicious dashboard object being created. Indicators of Compromise (IOC) Administrators can review Kibana audit logs for dashboard deletion events that correspond to unexpected security-sensitive operations. Dashboard identifiers containing path traversal sequences may indicate attempted exploitation. Review Kibana audit logs for deletion requests redirected to unexpected internal endpoints. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.6 ) -CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVE ID: CVE-2026-33462 Problem Type: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1 post – 1 participant Read full topic
- Elastic Package Registry 1.38.0 Security Update (ESA-2026-27)by ismisepaul on April 28, 2026 at 9:11 pm
Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. Affected Versions: All versions of the Elastic Package Registry up to and including 1.37.0. Affected Configurations: Self-hosted deployments that sync packages from an upstream source (via the distribution tool or proxy mode). Exploitation requires an attacker positioned to intercept or modify network traffic between the self-hosted Elastic Package Registry and its upstream source. Not affected Configurations: Elastic’s public package registry at https://epr.elastic.co and deployments that pull packages directly from it. Solutions and Mitigations: The issue is resolved in Elastic Package Registry version 1.38.0. Severity: CVSSv3.1: Medium ( 5.9 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE ID: CVE-2026-33467 Problem Type: CWE-347 – Improper Verification of Cryptographic Signature 1 post – 1 participant Read full topic
- Logstash 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-29)by ismisepaul on April 8, 2026 at 4:32 pm
Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with the GeoIP database downloader enabled and configured to use an external update endpoint are affected. The risk is elevated in configurations where automatic pipeline configuration reloading is enabled and the pipeline configuration directory is writable by the Logstash process. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: If you do not require the GeoIP database downloader, the most effective mitigation is to disable it entirely. This fully removes the attack surface, and no further action is needed: Set xpack.geoip.downloader.enabled: false in the Logstash configuration. If you must keep the GeoIP database downloader enabled, apply the following together: Primary: Ensure the downloader endpoint uses HTTPS and points to a trusted source, to reduce the risk of an attacker substituting or intercepting the update feed. Defense-in-depth: Disable automatic pipeline configuration reloading to prevent escalation from file write to code execution. Defense-in-depth: Restrict filesystem write permissions for the Logstash process to only the directories it requires, to limit the impact of an arbitrary file write. Indicators of Compromise (IOC) Check for unexpected files written outside the GeoIP database directory. Review the filesystem for files that should not exist in pipeline configuration directories or other sensitive locations. Monitor Logstash logs for GeoIP database download activity, particularly downloads from unexpected endpoints. Check for unexplained pipeline configuration files or changes to existing pipeline configurations. Review file integrity monitoring alerts for writes to directories outside the expected GeoIP data path. Severity: CVSSv3.1: High ( 8.1 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2026-33466 Problem Type: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Impact: CAPEC-139 – Relative Path Traversal Changelog 2026-06-04: Restructured “For Users that Cannot Upgrade” into two paths: disabling the GeoIP downloader as a standalone complete fix, with HTTPS + trusted source and the two hardening steps (defense-in-depth) applying only if the downloader stays enabled. 1 post – 1 participant Read full topic
- Kibana 9.3.3 Security Update (ESA-2026-28)by ismisepaul on April 8, 2026 at 4:29 pm
Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. Affected Versions: 9.x: All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments running Kibana 9.3.x with the Workflows Execution Engine enabled. Exploitation requires an authenticated user with workflow creation and execution privileges. Solutions and Mitigations: The issue is resolved in version 9.3.3. Indicators of Compromise (IOC) Monitor workflow execution logs for HTTP step executions that result in redirect responses, particularly those targeting internal hosts not on the allowlist. Review Kibana audit logs for workflow execution activity, focusing on HTTP step executions with redirect-following behavior. Monitor network logs for outbound connections from Kibana to unexpected internal hosts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.8 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-33458 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF) 1 post – 1 participant Read full topic
- Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-26)by ismisepaul on April 8, 2026 at 4:25 pm
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with the automatic import plugin enabled are affected. The plugin is enabled by default in Kibana 8.15 and later. Exploitation requires an authenticated user with Fleet and Integrations privileges. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. Indicators of Compromise (IOC) Monitor for repeated or concurrent requests to automatic import endpoints from the same user or session, particularly requests with unusually large payloads. Review Kibana audit logs and HTTP access logs for patterns of high-volume requests to automatic import API endpoints. Monitor for HTTP 502 errors that may indicate resource exhaustion caused by exploitation attempts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-33459 Problem Type: CWE-400 – Uncontrolled Resource Consumption Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic





