Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.
AnalysisAI
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Technical ContextAI
Kibana, Elastic's data visualization and dashboard platform, issues time-bounded access tokens to control scoped access to content - such as shared dashboard links or embedded report URLs. CWE-672 (Operation on a Resource after Expiration or Termination) identifies the root cause: the server-side logic responsible for validating whether a token's expiration timestamp has passed contained a flaw that allowed already-expired tokens to pass validation successfully. This is a server-side state management error, not a cryptographic weakness - the token itself is not forged; it is genuine but should have been rejected. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* uses a full wildcard, indicating NVD has not yet constrained the affected version range beyond 'all Kibana versions'; the Elastic advisory URL slug suggests fixed versions are 8.19.1 and 6.9.3.5, though independent version range confirmation requires review of ESA-2026-33 directly.
RemediationAI
The primary remediation is to upgrade Kibana to the patched releases referenced in Elastic security advisory ESA-2026-33, available at https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551. Based on the advisory URL slug, versions 8.19.1 and 6.9.3.5 appear to contain the fix, though these versions should be independently verified against the full advisory before deploying in production. If immediate patching is not feasible, a compensating control is to disable or revoke all active time-bounded shared access tokens and prevent new ones from being generated until patching is complete - this eliminates the token inventory an attacker could exploit, though it will break legitimate shared link functionality for end users. Rotating all previously issued tokens after patching is advisable to invalidate any expired tokens an attacker may already hold.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33011
GHSA-fgvg-65vf-2w8h