SB2026022720 - Multiple vulnerabilities in Elastic Kibana

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-26934)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with view-only privileges can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2026-26935)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the internal Content Connectors search endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-26938)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with workflowsManagement:executeWorkflow privilege can view contents of arbitrary files on the server. 

Remediation

Install update from vendor's website.

References

• https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-12/385248
• https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249
• https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253