248 matches found
Kibana 8.19.16, and 9.3.5 Security Update (ESA-2026-36)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memor...
Kibana 8.19.16 and 9.3.5 Security Update (ESA-2026-30)
Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrat...
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21)
Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via...
Kibana 8.19.16, 9.3.5, 9.4.2 Security Update (ESA-2026-35)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user can send a specially crafted compressed request payload that is processed prior to...
Filebeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-32)
Filebeat Improper Validation of Specified Index, Position, or Offset in Input ESA-2025-32 Improper Validation of Specified Index, Position, or Offset in Input CWE-1285 in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow CAPEC-100 and cause a...
Kibana 9.2.8, and 9.3.2 Security Update (ESA-2026-37)
Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted...
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-26)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests wi...
Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-29)
Packetbeat Allocation of Resources Without Limits or Throttling ESA-2025-29 Allocation of resources without limits or throttling CWE-770 allows an unauthenticated remote attacker to cause excessive allocation CAPEC-130 of memory and CPU via the integration of malicious IPv4 fragments, leading to ...
Metricbeat 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-01)
Improper Input Validation in Metricbeat Leading to Denial of Service ESA-2026-01 Improper Validation of Array Index CWE-129 exists in Metricbeat can allow an attacker to cause a Denial of Service via Input Data Manipulation CAPEC-153 using specially crafted, malformed payloads sent to the Graphit...
Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)
Kibana Cross-Site-Scripting XSS ESA-2025-16 Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and...
Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)
Elasticsearch Insertion of sensitive information in log file ESA-2025-18 Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affected Versions: 7.x: All versions from 7.0.0 and u...
Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-37)
Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-37 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation CAPEC-130 of memory and a denial of service D...
Synthetics Recorder 1.4.15 Security Update (ESA-2026-16) - CVE-2025-6554 and CVE-2025-7657
Dependency on Vulnerable Third-Party Component in Synthetics Recorder Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in the bundled Chromium browser in Elastic Synthetics Recorder that could allow an attacker to achieve remote code execution on a...
Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)
Elasticsearch yawkat LZ4 Java - CVE-2025-66566 ESA-2026-07 An Information Disclosure vulnerability CVE-2025-66566 exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport...
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)
Kibana Improper Authorization ESA-2025-38 Improper Authorization CWE-285 in Kibana can lead to privilege escalation CAPEC-233 by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the...
Kibana 8.19.16 Security Update (ESA-2026-39)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with viewer-level access can submit a request containing an oversized input value to...
Kibana Fleet 8.19.16, 9.3.5, and 9.4.2 Security Update (ESA-2026-38)
Improper Input Validation in Kibana Fleet Leading to Privilege Escalation Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by...
Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-27)
Elasticsearch Improper Authentication ESA-2025-27 Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate...
Enterprise Search 8.18.6, 8.19.3 Security Update (ESA-2025-15) (CVE-2025-54988)
Enterprise Search XML external entity XXE injection in Apache Tika ESA-2025-15 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to...
Kibana 9.3.3 Security Update (ESA-2026-40)
Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound...
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25)
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy...
Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25)
Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-25 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840...
Kibana 9.3.1 Security Update (ESA-2026-17)
Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery SSRF Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 exists in Workflows in Kibana which could allow an attacker to read arbitrary files...
Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12)
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input CWE-1284 in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation CAPEC-153. An...
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-28)
Kibana Cross-site Scripting via the Integration Package Upload Functionality ESA-2025-28 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an authenticated user to render an HTML page within a user’s browser via the integration package upload...
Elastic Cloud Enterprise (ECE) 3.8.3 and 4.0.3 Security Update (ESA-2025-22)
Elastic Cloud Enterprise Improper Authorizatio n ESA-2025-22 Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:...
Kibana 8.19.16, 9.3.5, 9.4.1 Security Update (ESA-2026-32)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to a denial of service via Excessive Allocation CAPEC-130. An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to...
Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-15)
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x:...
Elasticsearch 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-33)
Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-33 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation CAPEC-130 causing a persistent denial of service OOM crash via...
Kibana - Crowdstrike Connector 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-19)
Kibana Insufficiently Protected Credentials in the CrowdStrike Connector ESA-2025-19 Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from an Elastic Crowdstrike connector in another...
Logstash 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-29)
Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The...
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24)
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data,...
Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-14)
Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service Inefficient Regular Expression Complexity CWE-1333 in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup CAPEC-492. Affected Versions: 8.x: All versio...
Elastic Defend 8.19.6, 9.1.6, and 9.2.0 Security Update (ESA-2025-23)
Elastic Defend Improper Preservation of Permissions ESA-2025-23 Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation...
Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17)
Kibana Stored Cross-Site-ScriptingXSS ESA-2025-17 Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x...
Kibana 8.14.0/7.17.22 Security Update (ESA-2024-10)
Kibana open redirect issue ESA-2024-10. An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Affected Versions: Kibana Versions before 7.17.22 and before 8.14.0. Solutions and Mitigations:...
Kibana 8.19.16, 9.3.5 Security Update (ESA-2026-34)
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup...
Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-13)
Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation CWE-20 in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.4.0 up to and including 8.19....
Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-05)
External Control of File Name or Path and Server-Side Request Forgery SSRF in Kibana Google Gemini Connector ESA-2026-05 External Control of File Name or Path CWE-73 combined with Server-Side Request Forgery CWE-918 can allow an attacker to cause arbitrary file disclosure through a specially...
Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-04)
Allocation of Resources Without Limits or Throttling in Kibana Fleet ESA-2026-04 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana Fleet can lead to Excessive Allocation CAPEC-130 via a specially crafted bulk retrieval request. This requires an attacker to have low-level...
Elasticsearch 8.18.6, 8.19.3, 9.0.6, and 9.1.3 Security Update (ESA-2025-14) (CVE-2025-54988)
Elasticsearch XML external entity XXE injection in Apache Tika ESA-2025-14 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provid...
Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation
Note — These instructions only apply if you are running Logstash 5.0.0 - 6.8.20, or 7.0.0 - 7.16.0. If you are running an older version of Logstash, or a version of Logstash = 6.8.21 in the 6.x series or = 7.16.1 in the 7.x series, these instructions do not apply. Please follow the guidance in ma...
Elastic Stack 6.8.4 security update
Elasticsearch username disclosure flaw ESA-2019-13 A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. Affected Versions The following...
Kibana 9.3.3 Security Update (ESA-2026-28)
Server-Side Request Forgery SSRF in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery CWE-918 in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in...
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)
Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-35 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an unauthenticated user to embed a malicious script in content that will be served to web browsers...
Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-30)
Packetbeat Improper Bounds Check ESA-2025-30 Improper Bounds Check CWE-787 in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow CAPEC-100 and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid...
Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-24)
Kibana Origin Validation Error ESA-2025-24 Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Affected Versions: 8.12.0 up to and including 8.19.6 9.1.0 up to and including 9.1.6 9.2.0 Affected...
APM Server 8.14.0 Security Update (ESA-2024-09)
APM Server - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 ESA-2024-09 On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In an on-prem...
Elastic Agent 8.15.0 Security Update (ESA-2024-23)
Elastic Agent Insertion of Sensitive Information into Log File ESA-2024-23 An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. Affecte...
Elastic APM .NET Agent 1.10.0 Security Update
Elastic APM .NET Agent information disclosure ESA-2021-14 The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM serve...