Improper Output Neutralization for Logs in Kibana - CVE-2026-49091

 

Improper Output Neutralization for Logs in Kibana - CVE-2026-49091

Published: July 2, 2026


Vulnerability identifier: #VU136675
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-49091
CWE-ID: CWE-117
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to alter displayed log data and disclose sensitive information.

The vulnerability exists due to improper output neutralization for logs in Kibana log files when processing specially crafted input that is written to logs and later viewed in a terminal that interprets control sequences. A remote user can supply specially crafted input to alter displayed log data and disclose sensitive information.

User interaction is required to view the affected log files in a terminal that interprets control sequences.


How to mitigate CVE-2026-49091

Install security update from vendor's website.

Sources