By vendor

Elastic vulnerabilities

Known CVEs affecting Elastic products, prioritized by severity, with SEC.co remediation and detection guidance.

7 published vulnerabilities

  • CVE-2026-42398HIGH 7.7

    CVE-2026-42398 is a Server-Side Request Forgery (SSRF) vulnerability in Kibana that allows authenticated users with connector management privileges to circumvent network egress restrictions. An attacker with the right permissions can configure a malicious Webhook connector that tricks Kibana into making outbound HTTP requests to internal or restricted destinations that should have been blocked by the organization's firewall or allowlist policies. This effectively punches through network security controls by leveraging Kibana's own trusted outbound connection capability.

  • CVE-2026-33464MEDIUM 6.5

    Kibana contains a denial-of-service vulnerability that allows low-privileged authenticated users to crash the service by sending an oversized request to an internal API. When exploited, Kibana becomes unresponsive to all users until manually restarted or the process recovers. This is a resource exhaustion attack that requires valid credentials but no special privileges.

  • CVE-2026-42399MEDIUM 6.5

    A vulnerability in Kibana allows authenticated users with basic access to crash the application by uploading specially crafted visualizations. An attacker submits a Timelion visualization with deeply nested function calls that causes Kibana to allocate memory without limit, eventually consuming all available RAM and taking the service offline for everyone. This is a denial-of-service attack that requires valid credentials but no administrative privileges.

  • CVE-2026-42400MEDIUM 6.5

    CVE-2026-42400 is a denial-of-service vulnerability in Kibana that allows an authenticated user to crash or freeze a Kibana instance by sending a malicious compressed request. The vulnerability exists because Kibana processes and decompresses incoming requests before fully validating user permissions, meaning an attacker can consume excessive memory and CPU resources on the server before authorization checks can stop them. While this requires valid credentials to exploit, the impact is straightforward: a Kibana instance can become unresponsive or crash entirely, disrupting visibility and analysis capabilities that teams depend on.

  • CVE-2026-33463MEDIUM 5.3

    Kibana contains a flaw where access tokens that should expire at a specific time continue to work indefinitely. An attacker who obtains one of these tokens—even after it should have stopped being valid—can use it to read sensitive information they shouldn't have access to. The vulnerability stems from improper validation of token expiration times, allowing the system to forget when a token was supposed to stop working.

  • CVE-2026-33462MEDIUM 4.6

    A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.

  • CVE-2026-42401MEDIUM 4.1

    CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.