Skip to main content

Kibana CVE-2026-49091

| EUVDEUVD-2026-41101 HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-07-01 elastic GHSA-787j-ggjh-rhm6
8.0
CVSS 3.1 · Vendor: elastic
Share

Severity by source

Vendor (elastic) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Attacker needs low-privilege input access (PR:L) and an operator to view logs in a vulnerable terminal (UI:R, AC:H); real impact is forging displayed log data (I:H, S:C) with minor confidentiality and no availability effect.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (elastic).

CVSS VectorVendor: elastic

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 18:22 vuln.today

DescriptionCVE.org

Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.

AnalysisAI

Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Kibana access
Delivery
Submit input with embedded terminal control sequences
Exploit
Kibana writes unneutralized payload to log file
Execution
Operator views log in interpreting terminal
Impact
Injected sequences forge or hide log entries

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker to have enough access to submit input that Kibana writes into its log files (CVSS PR:L - some authenticated/low-privilege foothold, not fully anonymous); (2) that input to reach a logged field without neutralization; and critically (3) a human operator (UI:R) to subsequently view the affected log in a terminal emulator that interprets control/escape sequences. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Kibana user submits a request whose parameters contain ANSI escape and carriage-return sequences engineered to be written into Kibana's logs. Later, a SOC analyst investigating activity runs 'tail'/'cat' on the log file in a terminal, at which point the injected sequences rewrite or conceal log lines - hiding the attacker's actions or planting misleading forged entries. …
Remediation Upgrade Kibana to a fixed release: Vendor-released patch: 7.17.15 (for the 7.x line) or 8.11.1 (for the 8.x line), per Elastic advisory ESA-2026-53 (https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Kibana instances in production and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Kibana

View all
CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2025-25015 CRITICAL
9.9 Mar 05

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP

CVE-2018-17245 CRITICAL
9.8 Dec 20

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us

CVE-2025-25014 CRITICAL
9.1 May 06

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea

CVE-2019-7610 CRITICAL
9.0 Mar 25

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever

CVE-2024-12556 HIGH
8.7 Apr 08

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate

CVE-2024-37288 HIGH
8.8 Sep 09

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con

CVE-2023-31415 HIGH
8.8 May 04

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2023-31414 HIGH
8.8 May 04

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne

CVE-2026-26938 HIGH
8.6 Feb 26

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve

Share

CVE-2026-49091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy