SB2026052933 - Multiple vulnerabilities in Kibana

Security Bulletin ID SB2026052933

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-49095)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper input validation in the Kibana Fleet agent policy management feature when processing configuration overrides. A remote privileged user can inject values into the configuration override mechanism to escalate privileges.

Only deployments with the Fleet feature enabled where users have been granted the Fleet management application privilege are affected.

2) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2026-33463)

CWE-ID: CWE-672 - Operation on a Resource after Expiration or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to operation on a resource after expiration or termination in Kibana public file sharing when validating expiration timestamps for time-bounded download links. A remote attacker can use an expired token in their possession to disclose sensitive information.

Only deployments that use the public file sharing feature to issue time-bounded download links are affected.

3) Resource exhaustion (CVE-ID: CVE-2026-42400)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Kibana request processing when handling a specially crafted compressed request payload prior to authorization checks. A remote user can send a specially crafted compressed request payload to cause a denial of service.

All Kibana configurations accessible to authenticated users are affected.

4) Cross-site scripting (CVE-ID: CVE-2026-42401)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to manipulate the user interface and trigger outbound network requests from the victim's browser session.

The vulnerability exists due to cross-site scripting in an affected Kibana view when rendering crafted markup persisted in an Elasticsearch index. A remote user can store crafted markup in an Elasticsearch index to manipulate the user interface and trigger outbound network requests from the victim's browser session.

User interaction is required when another user views the affected Kibana content.

5) Path traversal (CVE-ID: CVE-2026-33462)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify or delete unintended internal resources.

The vulnerability exists due to path traversal in Kibana's dashboard management functionality when processing a dashboard deletion request for a specially crafted dashboard identifier. A remote user can create a dashboard with a specially crafted identifier to modify or delete unintended internal resources.

User interaction is required because an administrator must delete the maliciously crafted dashboard through the Kibana interface.

6) Resource exhaustion (CVE-ID: CVE-2026-42399)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the Timelion visualization expression parser when processing deeply chained function calls in a user-supplied Timelion visualization expression. A remote user can submit a specially crafted Timelion visualization expression to cause a denial of service.

Only deployments where authenticated users have access to the Timelion visualization feature are vulnerable.

7) Resource exhaustion (CVE-ID: CVE-2026-49094)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the analytics collections management endpoint when processing a request containing an oversized input value. A remote user can submit a crafted request with an oversized input value to cause a denial of service.

This issue affects deployments where the behavioral analytics collections feature is available and does not affect Elastic Cloud Serverless.

8) Resource exhaustion (CVE-ID: CVE-2026-33464)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in an internal Kibana API when handling a specially crafted oversized payload. A remote user can submit a specially crafted oversized payload to cause a denial of service.

Exploitation requires authenticated access with the Viewer role or higher.

Remediation

Install update from vendor's website.

SB2026052933 - Multiple vulnerabilities in Kibana

Breakdown by Severity

Description

Remediation

References

Please verify you're human