SB2026070215 - Inclusion of Sensitive Information in Log Files in Kibana



SB2026070215 - Inclusion of Sensitive Information in Log Files in Kibana

Published: July 2, 2026

Security Bulletin ID SB2026070215
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-49088)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log file in Kibana APM instrumentation when handling requests with sensitive header values. A remote privileged user can send requests that include sensitive header values to disclose sensitive information.

Only deployments with the optional application performance monitoring instrumentation enabled are vulnerable, and exposed data may be accessible to operators with log access.


Remediation

Install update from vendor's website.