Elastic Kibana vulnerabilities
121 known vulnerabilities affecting elastic/kibana.
Total CVEs
121
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL7HIGH26MEDIUM86LOW2
Vulnerabilities
Page 6 of 7
CVE-2022-23713P4MEDIUMCVSS 6.1≥ 7.0.0, < 7.17.5≥ 8.0.0, ≤ 8.2.3+1 more2022-07-06
CVE-2022-23713 [MEDIUM] CWE-79 CVE-2022-23713: A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration whic
A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.
nvd
CVE-2024-43710P4MEDIUMCVSS 4.3≥ 8.7.0, < 8.15.02025-01-23
CVE-2024-43710 [MEDIUM] CWE-918 CVE-2024-43710: A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_che
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.
nvd
CVE-2026-33460P4MEDIUMCVSS 4.3≥ 8.0.0, < 8.19.14≥ 9.0.0, < 9.2.8+4 more2026-04-08
CVE-2026-33460 [MEDIUM] CWE-863 CVE-2026-33460: Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privi
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using a
nvd
CVE-2017-8440P4MEDIUMCVSS 6.1v5.3.0v5.3.1+4 more2017-06-05
CVE-2017-8440 [MEDIUM] CWE-79 CVE-2017-8440: Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover pag
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2017-8439P4MEDIUMCVSS 6.1v5.4.02017-06-05
CVE-2017-8439 [MEDIUM] CWE-79 CVE-2017-8439: Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Buil
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
nvd
CVE-2017-8451P4MEDIUMCVSS 6.1≤ 5.3.02017-06-16
CVE-2017-8451 [MEDIUM] CWE-601 CVE-2017-8451: With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
nvd
CVE-2018-3821P4MEDIUMCVSS 6.1fixed in 5.6.7≥ 6.0.0, < 6.1.3+1 more2018-03-30
CVE-2018-3821 [MEDIUM] CWE-79 CVE-2018-3821: Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerabilit
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2018-3820P4MEDIUMCVSS 6.1fixed in 6.1.3vafter 6.1.0 and before 6.1.32018-03-30
CVE-2018-3820 [MEDIUM] CWE-79 CVE-2018-3820: Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2021-22151P4MEDIUMCVSS 4.3≥ 7.9.0, ≤ 7.14.0≥ 7.9.0, < 7.14.02023-11-22
CVE-2021-22151 [MEDIUM] CWE-22 CVE-2021-22151: It was discovered that Kibana was not validating a user supplied path, which would load .pbf files.
It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.
nvd
CVE-2021-37938P4MEDIUMCVSS 4.3≥ 7.9.0, < 7.15.2vAll versions from 7.9.0 through 7.15.12021-11-18
CVE-2021-37938 [MEDIUM] CWE-269 CVE-2021-37938: It was discovered that on Windows operating systems specifically, Kibana was not validating a user s
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
nvd
CVE-2022-23709P4MEDIUMCVSS 4.3≥ 7.7.0, < 7.17.1v8.0.0+1 more2022-03-03
CVE-2022-23709 [MEDIUM] CWE-264 CVE-2022-23709: A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify a
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effecti
nvd
CVE-2024-37279P4MEDIUMCVSS 4.3≥ 8.6.3, < 8.14.0≥ 8.6.3, ≤ 8.13.42024-06-13
CVE-2024-37279 [MEDIUM] CWE-284 CVE-2024-37279: A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making
A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.
nvd
CVE-2025-37734P4MEDIUMCVSS 4.3≥ 8.12.0, < 8.19.7≥ 9.1.0, < 9.1.7+3 more2025-11-12
CVE-2025-37734 [MEDIUM] CWE-346 CVE-2025-37734: Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP h
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
nvd
CVE-2020-7016P4MEDIUMCVSS 4.8vbefore 6.8.11 and 7.8.12020-07-27
CVE-2020-7016 [MEDIUM] CWE-185 CVE-2020-7016: Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attac
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
nvd
CVE-2015-4093P4MEDIUMCVSS 4.3v4.0.0v4.0.1+1 more2015-06-15
CVE-2015-4093 [MEDIUM] CWE-79 CVE-2015-4093: Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote atta
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2021-22136P4LOWCVSS 3.5fixed in 6.8.15≥ 7.0.0, < 7.12.0+1 more2021-05-13
CVE-2021-22136 [LOW] CWE-613 CVE-2021-22136: In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the x
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
nvd
CVE-2021-37939P4LOWCVSS 2.7≥ 7.8.0, < 7.15.2vAll versions from 7.8.0 through 7.15.12021-11-18
CVE-2021-37939 [LOW] CWE-200 CVE-2021-37939: It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTT
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible
ghsanvdosv
CVE-2026-49091HIGHCVSS 8.0≥ 8.0.0, ≤ 8.11.0≥ 7.0.0, ≤ 7.17.142026-07-01
CVE-2026-49091 [HIGH] CWE-116 CVE-2026-49091: Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Inject
Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content
nvd
CVE-2026-49087MEDIUMCVSS 6.5≥ 9.0.0, ≤ 9.3.3≥ 8.0.0, ≤ 8.19.142026-07-01
CVE-2026-49087 [MEDIUM] CWE-770 CVE-2026-49087: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of ser
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.
nvd
CVE-2026-56151MEDIUMCVSS 6.5≥ 9.0.0, ≤ 9.3.5≥ 8.0.0, ≤ 8.19.16+1 more2026-07-01
CVE-2026-56151 [MEDIUM] CWE-20 CVE-2026-56151: Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipula
Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable.
nvd