SB2026070215 - Inclusion of Sensitive Information in Log Files in Kibana
Published: July 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-49088)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log file in Kibana APM instrumentation when handling requests with sensitive header values. A remote privileged user can send requests that include sensitive header values to disclose sensitive information.
Only deployments with the optional application performance monitoring instrumentation enabled are vulnerable, and exposed data may be accessible to operators with log access.
Remediation
Install update from vendor's website.