Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
APM is non-default (AC:H), log read access requires operator privilege (PR:H), and impact is limited to confidentiality of captured header values with no integrity or availability effect.
Primary rating from Vendor (elastic).
CVSS VectorVendor: elastic
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.
AnalysisAI
Sensitive HTTP request header values are written into Kibana application logs when the optional APM (Application Performance Monitoring) instrumentation feature is enabled, exposing credentials or tokens to anyone with operator-level log access. This affects multiple Kibana release branches (8.18.x, 8.19.x, 9.0.x, and 9.1.x) and is classified as information disclosure under CWE-532. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The optional APM (Application Performance Monitoring) instrumentation feature must be explicitly enabled in the Kibana configuration - this is not a default setting. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator or system administrator with read access to Kibana application logs searches log files generated while APM instrumentation was active, locating entries that contain raw HTTP request headers from user or API sessions. The operator extracts Authorization header values or API keys from these log entries and uses them to authenticate as other users or services, enabling lateral movement within the Elastic Stack or connected systems. … |
| Remediation | Upgrade Kibana to one of the patched versions released by Elastic: 8.18.9, 8.19.6, 9.0.8, or 9.1.6, per advisory ESA-2026-50 at https://discuss.elastic.co/t/kibana-8-18-9-8-19-6-9-0-8-9-1-6-security-update-esa-2026-50. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con
Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne
Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41093
GHSA-r35r-rm7g-v9m8