Elastic Kibana vulnerabilities
117 known vulnerabilities affecting elastic/kibana.
Total CVEs
117
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL7HIGH25MEDIUM83LOW2
Vulnerabilities
Page 3 of 6
CVE-2026-0530P3MEDIUMCVSS 6.5≥ 7.10.0, < 7.17.29≥ 8.0.0, < 8.19.10+6 more2026-01-13
CVE-2026-0530 [MEDIUM] CWE-770 CVE-2026-0530: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.
nvd
CVE-2026-49094P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.16≥ 8.0.0, ≤ 8.19.152026-05-28
CVE-2026-49094 [MEDIUM] CWE-400 CVE-2026-49094: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Al
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the
nvd
CVE-2025-25010P3MEDIUMCVSS 6.5≥ 9.0.0, < 9.0.6≥ 9.1.0, < 9.1.3+2 more2025-08-28
CVE-2025-25010 [MEDIUM] CWE-863 CVE-2025-25010: Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user r
Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.
nvd
CVE-2023-46675P3MEDIUMCVSS 6.5≥ 7.13.0, < 7.17.16≥ 8.0.0, < 8.11.22023-12-13
CVE-2023-46675 [MEDIUM] CWE-532 CVE-2023-46675: An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in t
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, a
nvd
CVE-2026-26934P3MEDIUMCVSS 6.5≥ 8.18.0, < 8.19.12≥ 9.0.0, < 9.2.6+4 more2026-02-26
CVE-2026-26934 [MEDIUM] CWE-1284 CVE-2026-26934: Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated a
Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive o
nvd
CVE-2026-26940P3MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.13≥ 9.0.0, < 9.2.7+4 more2026-03-19
CVE-2026-26940 [MEDIUM] CWE-1284 CVE-2026-26940: Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin i
Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantit
nvd
CVE-2023-46671P4MEDIUMCVSS 6.5≥ 8.0.0, < 8.11.12023-12-13
CVE-2023-46671 [MEDIUM] CWE-532 CVE-2023-46671: An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in t
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infre
nvd
CVE-2024-52972P3MEDIUMCVSS 6.5fixed in 7.17.23≥ 8.0.0, < 8.15.0+1 more2025-01-23
CVE-2024-52972 [MEDIUM] CWE-770 CVE-2024-52972: An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a sp
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.
nvd
CVE-2024-52973P3MEDIUMCVSS 6.5fixed in 7.17.23≥ 8.0.0, < 8.14.2+1 more2025-01-21
CVE-2024-52973 [MEDIUM] CWE-770 CVE-2024-52973: An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a sp
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana.
nvd
CVE-2024-52974P4MEDIUMCVSS 6.5≥ 7.17.0, < 7.17.23≥ 8.0.0, < 8.15.1+2 more2025-04-08
CVE-2024-52974 [MEDIUM] CWE-400 CVE-2024-52974: An issue has been identified where a specially crafted request sent to an Observability API could ca
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash.
A successful attack requires a malicious user to have read permissions for Observability assigned to them.
nvd
CVE-2026-33464P4MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+4 more2026-05-28
CVE-2026-33464 [MEDIUM] CWE-400 CVE-2026-33464: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users unti
nvd
CVE-2026-33459P4MEDIUMCVSS 6.5≥ 8.15.0, < 8.19.14≥ 9.0.0, < 9.2.8+4 more2026-04-08
CVE-2026-33459 [MEDIUM] CWE-400 CVE-2026-33459: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Al
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable,
nvd
CVE-2024-43707P3MEDIUMCVSS 6.5≥ 8.7.0, < 8.15.0≥ 8.0.0, < 8.15.02025-01-23
CVE-2024-43707 [MEDIUM] CWE-200 CVE-2024-43707: An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent polici
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
nvd
CVE-2026-42399P4MEDIUMCVSS 6.5≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+2 more2026-05-28
CVE-2026-42399 [MEDIUM] CWE-400 CVE-2026-42399: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Al
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulti
nvd
CVE-2025-68389P4MEDIUMCVSS 6.5≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.9+5 more2025-12-18
CVE-2025-68389 [MEDIUM] CWE-770 CVE-2025-68389: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
nvd
CVE-2016-10364P4MEDIUMCVSS 6.5v5.0.0v5.0.12017-06-16
CVE-2016-10364 [MEDIUM] CWE-306 CVE-2016-10364: With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
nvd
CVE-2022-38778P4MEDIUMCVSS 6.5≥ 7.0.0, < 7.17.9≥ 8.0.0, < 8.6.1+1 more2023-02-08
CVE-2022-38778 [MEDIUM] CWE-20 CVE-2022-38778: A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow
A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.
nvd
CVE-2024-37281P4MEDIUMCVSS 6.5≥ 7.0.0, < 7.17.23≥ 8.0.0, < 8.14.0+2 more2024-07-30
CVE-2024-37281 [MEDIUM] CWE-400 CVE-2024-37281: An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to cra
An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.
nvd
CVE-2024-43708P4MEDIUMCVSS 6.5fixed in 7.17.23≥ 8.0.0, < 8.15.0+1 more2025-01-23
CVE-2024-43708 [MEDIUM] CWE-770 CVE-2024-43708: An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a sp
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.
nvd
CVE-2019-7616P4MEDIUMCVSS 4.9fixed in 6.8.2≥ 7.0.0, < 7.2.1+1 more2019-07-30
CVE-2019-7616 [MEDIUM] CWE-918 CVE-2019-7616: Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the grap
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana
nvd