Kibana 9.3.3 Security Update (ESA-2026-40)

Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound...

Kibana 8.19.16 Security Update (ESA-2026-39)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with viewer-level access can submit a request containing an oversized input value to...

Kibana Fleet 8.19.16, 9.3.5, and 9.4.2 Security Update (ESA-2026-38)

Improper Input Validation in Kibana Fleet Leading to Privilege Escalation Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by...

Kibana 9.2.8, and 9.3.2 Security Update (ESA-2026-37)

Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted...

Kibana 8.19.16, and 9.3.5 Security Update (ESA-2026-36)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memor...

Kibana 8.19.16, 9.3.5, 9.4.2 Security Update (ESA-2026-35)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user can send a specially crafted compressed request payload that is processed prior to...

Kibana 8.19.16, 9.3.5 Security Update (ESA-2026-34)

Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup...

8.19.16, 9.3.5 Security Update (ESA-2026-33)

Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a...

Kibana 8.19.16, 9.3.5, 9.4.1 Security Update (ESA-2026-32)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to a denial of service via Excessive Allocation CAPEC-130. An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to...

Kibana 8.19.16 and 9.3.5 Security Update (ESA-2026-30)

Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrat...

Elastic Package Registry 1.38.0 Security Update (ESA-2026-27)

Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass Improper Verification of Cryptographic Signature CWE-347 in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the...

Logstash 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-29)

Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The...

Kibana 9.3.3 Security Update (ESA-2026-28)

Server-Side Request Forgery SSRF in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery CWE-918 in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-26)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests wi...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25)

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24)

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data,...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21)

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via...

Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)

Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to...

Kibana 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-20)

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input CWE-1284 in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation CAPEC-130. The vulnerability allows an...

Elasticsearch 8.19.8, 9.1.8 Security Update (ESA-2026-18)

Deserialization of Untrusted Data in Elasticsearch Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in PyTorch used by the machine learning model loading component in Elasticsearch that can allow an attacker to achieve remote code execution via Objec...

Packetbeat 8.19.11, 9.2.5 Security Update (ESA-2026-11)

Improper Validation of Array Index in Packetbeat Leading to Denial of Service Improper Validation of Array Index CWE-129 in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation CAPEC-153. An attacker with the ability to send specially crafted,...

Metricbeat 8.19.13, 9.2.5 Security Update (ESA-2026-09)

Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service Memory Allocation with Excessive Size Value CWE-789 in the Prometheus remotewrite HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation CAPEC-130. Affected Versions: 8.x: All versions...

Logstash 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-06)

Sensitive Information in Resource Not Removed Before Reuse in Logstash Leading to Access to Sensitive Information Dependency on Vulnerable Third-Party Component CWE-1395 exists in org.lz4:lz4-java decompression library used by logstash-integration-kafka plugin in Logstash that could allow an...

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-19)

Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration Missing Authorization CWE-862 in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration host isolation, process termination, and process suspensio...

Kibana 9.3.1 Security Update (ESA-2026-17)

Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery SSRF Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 exists in Workflows in Kibana which could allow an attacker to read arbitrary files...

Synthetics Recorder 1.4.15 Security Update (ESA-2026-16) - CVE-2025-6554 and CVE-2025-7657

Dependency on Vulnerable Third-Party Component in Synthetics Recorder Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in the bundled Chromium browser in Elastic Synthetics Recorder that could allow an attacker to achieve remote code execution on a...

Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-15)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x:...

Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-14)

Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service Inefficient Regular Expression Complexity CWE-1333 in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup CAPEC-492. Affected Versions: 8.x: All versio...

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-13)

Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation CWE-20 in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.4.0 up to and including 8.19....

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12)

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input CWE-1284 in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation CAPEC-153. An...

Packetbeat 8.19.11, 9.2.5 Security Update (ESA-2026-10)

Improper Validation of Array Index in Packetbeat Leading to Denial of Service Improper Validation of Array Index CWE-129 in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation CAPEC-153. An attacker can send a specially crafted packet causing a Go...

Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)

Elasticsearch yawkat LZ4 Java - CVE-2025-66566 ESA-2026-07 An Information Disclosure vulnerability CVE-2025-66566 exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-05)

External Control of File Name or Path and Server-Side Request Forgery SSRF in Kibana Google Gemini Connector ESA-2026-05 External Control of File Name or Path CWE-73 combined with Server-Side Request Forgery CWE-918 can allow an attacker to cause arbitrary file disclosure through a specially...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-08)

Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation ESA-2026-08 Improper Input Validation CWE-20 in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation CAPEC-130 through a specially crafted email address parameter. This requires an...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-04)

Allocation of Resources Without Limits or Throttling in Kibana Fleet ESA-2026-04 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana Fleet can lead to Excessive Allocation CAPEC-130 via a specially crafted bulk retrieval request. This requires an attacker to have low-level...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-03)

Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation ESA-2026-03 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana Fleet can lead to Excessive Allocation CAPEC-130 via a specially crafted request. This causes the application to perfor...

Packetbeat 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-02)

Improper Validation of Array Index in Packetbeat Leading to Overflow Buffers ESA-2026-02 Improper Validation of Array Index CWE-129 in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers CAPEC-100 through specially crafted network traffic. This requires an attacke...

Metricbeat 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-01)

Improper Input Validation in Metricbeat Leading to Denial of Service ESA-2026-01 Improper Validation of Array Index CWE-129 exists in Metricbeat can allow an attacker to cause a Denial of Service via Input Data Manipulation CAPEC-153 using specially crafted, malformed payloads sent to the Graphit...

Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-39)

Kibana Improper Authorization ESA-2025-39 Improper Authorization CWE-285 in Kibana can lead to privilege escalation CAPEC-233 by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the 'live queries - read'...

Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)

Kibana Improper Authorization ESA-2025-38 Improper Authorization CWE-285 in Kibana can lead to privilege escalation CAPEC-233 by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the...

Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-37)

Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-37 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation CAPEC-130 of memory and a denial of service D...

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36)

Kibana Allocation of Resources Without Limits or Throttling ESA-2025-36 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation CAPEC-130 of computing resources and a denial of service DoS of the Kibana...

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-35 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an unauthenticated user to embed a malicious script in content that will be served to web browsers...

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-34 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an authenticated user to embed a malicious script in content that will be served to web browsers...

Elasticsearch 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-33)

Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-33 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation CAPEC-130 causing a persistent denial of service OOM crash via...

Filebeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-32)

Filebeat Improper Validation of Specified Index, Position, or Offset in Input ESA-2025-32 Improper Validation of Specified Index, Position, or Offset in Input CWE-1285 in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow CAPEC-100 and cause a...

Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-31)

Packetbeat Out-of-bounds Read ESA-2025-31 Out-of-bounds read CWE-125 allows an unauthenticated remote attacker to perform a buffer overflow CAPEC-100 via the NFS protocol dissector, leading to a denial-of-service DoS through a reliable process crash when handling truncated XDR-encoded RPC message...

Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-30)

Packetbeat Improper Bounds Check ESA-2025-30 Improper Bounds Check CWE-787 in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow CAPEC-100 and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid...

Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-29)

Packetbeat Allocation of Resources Without Limits or Throttling ESA-2025-29 Allocation of resources without limits or throttling CWE-770 allows an unauthenticated remote attacker to cause excessive allocation CAPEC-130 of memory and CPU via the integration of malicious IPv4 fragments, leading to ...

Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-28)

Kibana Cross-site Scripting via the Integration Package Upload Functionality ESA-2025-28 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an authenticated user to render an HTML page within a user’s browser via the integration package upload...