Inclusion of Sensitive Information in Log Files in Kibana - CVE-2026-49088

 

Inclusion of Sensitive Information in Log Files in Kibana - CVE-2026-49088

Published: July 2, 2026


Vulnerability identifier: #VU136677
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-49088
CWE-ID: CWE-532
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log file in Kibana APM instrumentation when handling requests with sensitive header values. A remote privileged user can send requests that include sensitive header values to disclose sensitive information.

Only deployments with the optional application performance monitoring instrumentation enabled are vulnerable, and exposed data may be accessible to operators with log access.


How to mitigate CVE-2026-49088

Install security update from vendor's website.

Sources