Inclusion of Sensitive Information in Log Files in Kibana - CVE-2026-49088
Published: July 2, 2026
Kibana
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log file in Kibana APM instrumentation when handling requests with sensitive header values. A remote privileged user can send requests that include sensitive header values to disclose sensitive information.
Only deployments with the optional application performance monitoring instrumentation enabled are vulnerable, and exposed data may be accessible to operators with log access.