Main Vulnerability Database Vulnerabilities #VU132762

Path traversal in Kibana - CVE-2026-33462

Published: May 29, 2026

Vulnerability identifier: #VU132762

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33462

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Elastic Stack

Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete unintended internal resources.

The vulnerability exists due to path traversal in Kibana's dashboard management functionality when processing a dashboard deletion request for a specially crafted dashboard identifier. A remote user can create a dashboard with a specially crafted identifier to modify or delete unintended internal resources.

User interaction is required because an administrator must delete the maliciously crafted dashboard through the Kibana interface.

How to mitigate CVE-2026-33462

Install security update from vendor's website.

Sources

https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545

Path traversal in Kibana - CVE-2026-33462

Detailed vulnerability description

How to mitigate CVE-2026-33462

Sources

Please verify you're human