Elastic Kibana vulnerabilities
117 known vulnerabilities affecting elastic/kibana.
Total CVEs
117
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL7HIGH25MEDIUM83LOW2
Vulnerabilities
Page 2 of 6
CVE-2026-33458P3HIGHCVSS 7.7≥ 9.3.0, < 9.3.3≥ 9.3.0, ≤ 9.3.22026-04-08
CVE-2026-33458 [HIGH] CWE-918 CVE-2026-33458: Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
nvd
CVE-2026-33462P3HIGHCVSS 7.3≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+2 more2026-05-28
CVE-2026-33462 [HIGH] CWE-22 CVE-2026-33462: A path traversal vulnerability was identified in Kibana's dashboard management functionality. An aut
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended
nvd
CVE-2020-7013P3HIGHCVSS 7.2fixed in 6.8.9≥ 7.0.0, < 7.7.0+1 more2020-06-03
CVE-2020-7013 [HIGH] CWE-94 CVE-2020-7013: Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
nvd
CVE-2023-31422P3HIGHCVSS 7.5v8.10.02023-10-26
CVE-2023-31422 [HIGH] CWE-532 CVE-2023-31422: An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the e
An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in
nvd
CVE-2026-0528P3HIGHCVSS 7.5≥ 7.0.0, < 7.17.29≥ 8.0.0, < 8.19.10+2 more2026-01-13
CVE-2026-0528 [HIGH] CWE-129 CVE-2026-0528: Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a D
Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper mo
nvd
CVE-2016-1000219P3HIGHCVSS 7.5≥ 4.1.0, < 4.1.11≥ 4.5.0, < 4.5.42017-06-16
CVE-2016-1000219 [HIGH] CWE-285 CVE-2016-1000219: Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and author
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
nvd
CVE-2021-22150P3HIGHCVSS 7.2≥ 7.10.2, < 7.14.1≥ 7.10.2, < 7.14.02023-11-22
CVE-2021-22150 [HIGH] CWE-94 CVE-2021-22150: It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to
It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.
nvd
CVE-2026-33461P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.14≥ 9.0.0, < 9.2.8+4 more2026-04-08
CVE-2026-33461 [MEDIUM] CWE-863 CVE-2026-33461: Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privil
nvd
CVE-2026-49095P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+4 more2026-05-28
CVE-2026-49095 [MEDIUM] CWE-20 CVE-2026-49095: Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to p
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to
nvd
CVE-2026-26939P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.12≥ 9.0.0, < 9.2.6+4 more2026-03-19
CVE-2026-26939 [MEDIUM] CWE-862 CVE-2026-26939: Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauth
Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges
nvd
CVE-2026-26935P3HIGHCVSS 7.5≥ 8.4.0, < 8.19.12≥ 9.0.0, < 9.2.6+4 more2026-02-26
CVE-2026-26935 [HIGH] CWE-20 CVE-2026-26935: Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can
Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
nvd
CVE-2026-0531P3MEDIUMCVSS 6.5≥ 7.10.0, < 7.17.29≥ 8.0.0, < 8.19.10+6 more2026-01-13
CVE-2026-0531 [MEDIUM] CWE-770 CVE-2026-0531: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to pe
nvd
CVE-2026-0543P3MEDIUMCVSS 6.5≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.0+5 more2026-01-13
CVE-2026-0543 [MEDIUM] CWE-20 CVE-2026-0543: Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Exc
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially cr
nvd
CVE-2017-8452P3HIGHCVSS 7.5≤ 5.2.0vbefore 5.2.12017-06-16
CVE-2017-8452 [HIGH] CWE-775 CVE-2017-8452: Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cl
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
nvd
CVE-2026-26937P3HIGHCVSS 7.5≥ 8.0.0, < 8.19.11≥ 9.0.0, < 9.2.5+2 more2026-02-26
CVE-2026-26937 [HIGH] CWE-400 CVE-2026-26937: Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of S
Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
nvd
CVE-2024-23446P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.12.1≥ 8.12.0, < 8.12.12024-02-07
CVE-2024-23446 [MEDIUM] CWE-284 CVE-2024-23446: An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Documen
An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS agai
nvd
CVE-2026-26936P3HIGHCVSS 7.5≥ 8.0.0, < 8.19.11≥ 9.0.0, < 9.2.5+2 more2026-02-26
CVE-2026-26936 [HIGH] CWE-1333 CVE-2026-26936: Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kib
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
nvd
CVE-2019-7618P3MEDIUMCVSS 6.5v7.3.0v7.3.1+1 more2019-10-01
CVE-2019-7618 [MEDIUM] CWE-538 CVE-2019-7618: A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malici
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
nvd
CVE-2025-37735P3HIGHCVSS 7.0≥ 8.0.0, ≤ 8.19.5≥ 9.0.0, ≤ 9.1.52025-11-06
CVE-2025-37735 [HIGH] CWE-281 CVE-2025-37735: Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.
nvd
CVE-2026-42400P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+4 more2026-05-28
CVE-2026-42400 [MEDIUM] CWE-400 CVE-2026-42400: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Al
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming un
nvd