Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attacker needs low-privilege input access (PR:L) and an operator to view logs in a vulnerable terminal (UI:R, AC:H); real impact is forging displayed log data (I:H, S:C) with minor confidentiality and no availability effect.
Primary rating from Vendor (elastic).
CVSS VectorVendor: elastic
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.
AnalysisAI
Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the attacker to have enough access to submit input that Kibana writes into its log files (CVSS PR:L - some authenticated/low-privilege foothold, not fully anonymous); (2) that input to reach a logged field without neutralization; and critically (3) a human operator (UI:R) to subsequently view the affected log in a terminal emulator that interprets control/escape sequences. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Kibana user submits a request whose parameters contain ANSI escape and carriage-return sequences engineered to be written into Kibana's logs. Later, a SOC analyst investigating activity runs 'tail'/'cat' on the log file in a terminal, at which point the injected sequences rewrite or conceal log lines - hiding the attacker's actions or planting misleading forged entries. … |
| Remediation | Upgrade Kibana to a fixed release: Vendor-released patch: 7.17.15 (for the 7.x line) or 8.11.1 (for the 8.x line), per Elastic advisory ESA-2026-53 (https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Kibana instances in production and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con
Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne
Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41101
GHSA-787j-ggjh-rhm6