Skip to main content

Kibana CVE-2024-43706

| EUVDEUVD-2024-54667 HIGH
Improper Authorization (CWE-285)
2025-06-10 security@elastic.co
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:42 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
8.12.1
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2024-54667
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 17:19 nvd
HIGH 7.6

DescriptionCVE.org

Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

AnalysisAI

CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.

Technical ContextAI

This vulnerability exists in Kibana's Synthetic Monitoring module, which is part of the Elastic Stack used for synthetic uptime and performance monitoring. The root cause is CWE-285 (Improper Authorization), indicating insufficient access control checks on HTTP endpoints designated for synthetic monitor operations. Rather than enforcing proper Role-Based Access Control (RBAC) or attribute-based access controls, the endpoint likely validates authentication (that a user exists) but fails to validate that the authenticated user has appropriate privileges to interact with synthetic monitors. This is a common pattern where authentication is conflated with authorization. The vulnerability is accessible via direct HTTP requests to the endpoint, meaning no special tooling or complex exploitation technique is required—standard HTTP clients suffice. The low attack complexity (AC:L) confirms this.

RemediationAI

  1. Immediate Patch: Upgrade Kibana to the patched version published by Elastic for CVE-2024-43706 (version specifics should be obtained from Elastic's official advisory). 2. Interim Mitigation: Restrict network access to Kibana's Synthetic monitor endpoints at the firewall/load-balancer level, limiting HTTP requests to trusted source IPs. 3. Access Control Review: Audit user role assignments in Kibana; ensure low-privilege users do not have synthetic monitoring privileges if not required. Implement principle of least privilege strictly. 4. Monitoring: Enable audit logging on Kibana API endpoints to detect unauthorized synthetic monitor access attempts. Monitor for unusual API calls to synthetic endpoints from low-privilege users. 5. Workaround (if patching is delayed): Disable or restrict Synthetic Monitoring features in Kibana if not in active use, via configuration settings in kibana.yml.

More in Kibana

View all
CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2025-25015 CRITICAL
9.9 Mar 05

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP

CVE-2018-17245 CRITICAL
9.8 Dec 20

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us

CVE-2025-25014 CRITICAL
9.1 May 06

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea

CVE-2019-7610 CRITICAL
9.0 Mar 25

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever

CVE-2024-12556 HIGH
8.7 Apr 08

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate

CVE-2024-37288 HIGH
8.8 Sep 09

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con

CVE-2023-31415 HIGH
8.8 May 04

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2023-31414 HIGH
8.8 May 04

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne

CVE-2026-26938 HIGH
8.6 Feb 26

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve

Vendor StatusVendor

Debian

Bug #700337
kibana
Release Status Fixed Version Urgency
open - -

Share

CVE-2024-43706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy