Skip to main content

Kibana CVE-2026-49088

| EUVDEUVD-2026-41093 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-07-01 security@elastic.co GHSA-r35r-rm7g-v9m8
4.4
CVSS 3.1 · Vendor: elastic
Share

Severity by source

Vendor (elastic) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.4 MEDIUM

APM is non-default (AC:H), log read access requires operator privilege (PR:H), and impact is limited to confidentiality of captured header values with no integrity or availability effect.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (elastic).

CVSS VectorVendor: elastic

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 17:42 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.

AnalysisAI

Sensitive HTTP request header values are written into Kibana application logs when the optional APM (Application Performance Monitoring) instrumentation feature is enabled, exposing credentials or tokens to anyone with operator-level log access. This affects multiple Kibana release branches (8.18.x, 8.19.x, 9.0.x, and 9.1.x) and is classified as information disclosure under CWE-532. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enable or confirm APM instrumentation is active
Delivery
Make or observe authenticated HTTP requests to Kibana
Exploit
Sensitive headers written to application logs by APM
Execution
Access Kibana log files as operator
Persist
Extract Authorization headers or API keys from log entries
Impact
Use captured credentials for lateral movement

Vulnerability AssessmentAI

Exploitation The optional APM (Application Performance Monitoring) instrumentation feature must be explicitly enabled in the Kibana configuration - this is not a default setting. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator or system administrator with read access to Kibana application logs searches log files generated while APM instrumentation was active, locating entries that contain raw HTTP request headers from user or API sessions. The operator extracts Authorization header values or API keys from these log entries and uses them to authenticate as other users or services, enabling lateral movement within the Elastic Stack or connected systems. …
Remediation Upgrade Kibana to one of the patched versions released by Elastic: 8.18.9, 8.19.6, 9.0.8, or 9.1.6, per advisory ESA-2026-50 at https://discuss.elastic.co/t/kibana-8-18-9-8-19-6-9-0-8-9-1-6-security-update-esa-2026-50. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Kibana

View all
CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2025-25015 CRITICAL
9.9 Mar 05

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP

CVE-2018-17245 CRITICAL
9.8 Dec 20

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us

CVE-2025-25014 CRITICAL
9.1 May 06

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea

CVE-2019-7610 CRITICAL
9.0 Mar 25

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever

CVE-2024-12556 HIGH
8.7 Apr 08

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate

CVE-2024-37288 HIGH
8.8 Sep 09

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con

CVE-2023-31415 HIGH
8.8 May 04

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2023-31414 HIGH
8.8 May 04

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne

CVE-2026-26938 HIGH
8.6 Feb 26

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve

Share

CVE-2026-49088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy