EUVD-2026-33009
GHSA-3j7x-jqgv-84cm
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
AnalysisAI
Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect administrative delete operations to unintended internal endpoints, potentially causing unauthorized deletion of user accounts or other Kibana-managed resources. Elastic's advisory ESA-2026-30 identifies fixes in versions 8.19.16 and 9.3.5, confirming the issue spans both active release branches. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level
Share
External POC / Exploit Code
Leaving vuln.today