Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 / 9.4.x < 9.4.2 Multiple Vulnerabilities (ESA-2026-35 / ESA-2026-38)

The version of Kibana installed on the remote host is prior to 8.19.16, 9.3.5, or 9.4.2. It is, therefore, affected by multiple vulnerabilities as referenced in the ESA-2026-35 and ESA-2026-38 advisories. - Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via...

Improper Validation of Specified Type of Input

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the Fleet agent policy management. An attacker can gain unauthorized read and...

EUVD-2026-33033

Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequatel...

CVE-2026-33460

Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...