Skip to main content

Kibana CVE-2026-33462

| EUVDEUVD-2026-33009 MEDIUM
Path Traversal (CWE-22)
2026-05-28 elastic GHSA-3j7x-jqgv-84cm
4.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 20:26 vuln.today

DescriptionCVE.org

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.

AnalysisAI

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect administrative delete operations to unintended internal endpoints, potentially causing unauthorized deletion of user accounts or other Kibana-managed resources. Elastic's advisory ESA-2026-30 identifies fixes in versions 8.19.16 and 9.3.5, confirming the issue spans both active release branches. No public exploit code or CISA KEV listing has been identified at time of analysis, but the integrity impact of silent account deletion warrants prioritized patching in multi-tenant deployments.

Technical ContextAI

Kibana is Elastic's browser-based analytics and visualization platform sitting atop Elasticsearch. CWE-22 (Path Traversal) identifies the root cause: the dashboard deletion handler constructs an internal API request using an attacker-controlled dashboard identifier without sufficient sanitization or validation. By embedding path traversal sequences in a dashboard ID or name at creation time, the attacker poisons the resource reference so that a subsequent server-side delete operation traverses to an unintended internal endpoint - such as a user account management API - rather than the dashboard itself. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* indicates no version is excluded from the affected range prior to the patched releases, covering both the 8.x and 9.x product lines.

RemediationAI

The primary fix is upgrading Kibana to version 8.19.16 (for 8.x deployments) or 9.3.5 (for 9.x deployments) as specified in Elastic security advisory ESA-2026-30, available at https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545. For environments where immediate patching is not feasible, the most targeted compensating control is restricting the dashboard Create privilege in Kibana role management to only vetted, trusted personnel - this removes the attacker's ability to plant a malicious dashboard object in the first place, though it may impact collaboration in shared Kibana Spaces and should be communicated to affected teams. Additionally, administrators should treat deletion of unexpected or unfamiliar dashboards - particularly those created by low-privilege accounts - with elevated scrutiny and verify object identity before proceeding. No workaround fully eliminates risk without patching, as the flaw resides in server-side request construction. Vendor-released patch: 8.19.16 / 9.3.5.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-33462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy