Skip to main content

Kibana CVE-2026-33463

| EUVDEUVD-2026-33011 MEDIUM
Operation on a Resource after Expiration or Release (CWE-672)
2026-05-28 elastic GHSA-fgvg-65vf-2w8h
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 20:25 vuln.today

DescriptionCVE.org

Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.

AnalysisAI

Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.

Technical ContextAI

Kibana, Elastic's data visualization and dashboard platform, issues time-bounded access tokens to control scoped access to content - such as shared dashboard links or embedded report URLs. CWE-672 (Operation on a Resource after Expiration or Termination) identifies the root cause: the server-side logic responsible for validating whether a token's expiration timestamp has passed contained a flaw that allowed already-expired tokens to pass validation successfully. This is a server-side state management error, not a cryptographic weakness - the token itself is not forged; it is genuine but should have been rejected. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* uses a full wildcard, indicating NVD has not yet constrained the affected version range beyond 'all Kibana versions'; the Elastic advisory URL slug suggests fixed versions are 8.19.1 and 6.9.3.5, though independent version range confirmation requires review of ESA-2026-33 directly.

RemediationAI

The primary remediation is to upgrade Kibana to the patched releases referenced in Elastic security advisory ESA-2026-33, available at https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551. Based on the advisory URL slug, versions 8.19.1 and 6.9.3.5 appear to contain the fix, though these versions should be independently verified against the full advisory before deploying in production. If immediate patching is not feasible, a compensating control is to disable or revoke all active time-bounded shared access tokens and prevent new ones from being generated until patching is complete - this eliminates the token inventory an attacker could exploit, though it will break legitimate shared link functionality for end users. Rotating all previously issued tokens after patching is advisable to invalidate any expired tokens an attacker may already hold.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-33463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy