Kibana 8.19.16, and 9.3.5 Security Update (ESA-2026-36)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memor...

Kibana 8.19.16 and 9.3.5 Security Update (ESA-2026-30)

Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrat...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21)

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via...

Kibana 9.2.8, and 9.3.2 Security Update (ESA-2026-37)

Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted...

Metricbeat 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-01)

Improper Input Validation in Metricbeat Leading to Denial of Service ESA-2026-01 Improper Validation of Array Index CWE-129 exists in Metricbeat can allow an attacker to cause a Denial of Service via Input Data Manipulation CAPEC-153 using specially crafted, malformed payloads sent to the Graphit...

Kibana 8.19.16, 9.3.5, 9.4.2 Security Update (ESA-2026-35)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user can send a specially crafted compressed request payload that is processed prior to...

Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)

Elasticsearch Insertion of sensitive information in log file ESA-2025-18 Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affected Versions: 7.x: All versions from 7.0.0 and u...

Enterprise Search 8.18.6, 8.19.3 Security Update (ESA-2025-15) (CVE-2025-54988)

Enterprise Search XML external entity XXE injection in Apache Tika ESA-2025-15 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to...

Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)

Elasticsearch yawkat LZ4 Java - CVE-2025-66566 ESA-2026-07 An Information Disclosure vulnerability CVE-2025-66566 exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport...

Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-37)

Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-37 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation CAPEC-130 of memory and a denial of service D...

Filebeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-32)

Filebeat Improper Validation of Specified Index, Position, or Offset in Input ESA-2025-32 Improper Validation of Specified Index, Position, or Offset in Input CWE-1285 in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow CAPEC-100 and cause a...

Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-27)

Elasticsearch Improper Authentication ESA-2025-27 Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate...

Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-25 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840...

Synthetics Recorder 1.4.15 Security Update (ESA-2026-16) - CVE-2025-6554 and CVE-2025-7657

Dependency on Vulnerable Third-Party Component in Synthetics Recorder Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in the bundled Chromium browser in Elastic Synthetics Recorder that could allow an attacker to achieve remote code execution on a...

Elastic Cloud Enterprise (ECE) 3.8.3 and 4.0.3 Security Update (ESA-2025-22)

Elastic Cloud Enterprise Improper Authorizatio n ESA-2025-22 Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:...

Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)

Kibana Cross-Site-Scripting XSS ESA-2025-16 Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-26)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests wi...

Kibana 9.3.1 Security Update (ESA-2026-17)

Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery SSRF Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 exists in Workflows in Kibana which could allow an attacker to read arbitrary files...

Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)

Kibana Improper Authorization ESA-2025-38 Improper Authorization CWE-285 in Kibana can lead to privilege escalation CAPEC-233 by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the...

Kibana - Crowdstrike Connector 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-19)

Kibana Insufficiently Protected Credentials in the CrowdStrike Connector ESA-2025-19 Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from an Elastic Crowdstrike connector in another...

Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17)

Kibana Stored Cross-Site-ScriptingXSS ESA-2025-17 Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x...

Kibana 8.19.16 Security Update (ESA-2026-39)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with viewer-level access can submit a request containing an oversized input value to...

Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-15)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x:...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-05)

External Control of File Name or Path and Server-Side Request Forgery SSRF in Kibana Google Gemini Connector ESA-2026-05 External Control of File Name or Path CWE-73 combined with Server-Side Request Forgery CWE-918 can allow an attacker to cause arbitrary file disclosure through a specially...

Elastic Defend 8.19.6, 9.1.6, and 9.2.0 Security Update (ESA-2025-23)

Elastic Defend Improper Preservation of Permissions ESA-2025-23 Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation...

Elasticsearch 8.18.6, 8.19.3, 9.0.6, and 9.1.3 Security Update (ESA-2025-14) (CVE-2025-54988)

Elasticsearch XML external entity XXE injection in Apache Tika ESA-2025-14 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provid...

Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Note — These instructions only apply if you are running Logstash 5.0.0 - 6.8.20, or 7.0.0 - 7.16.0. If you are running an older version of Logstash, or a version of Logstash = 6.8.21 in the 6.x series or = 7.16.1 in the 7.x series, these instructions do not apply. Please follow the guidance in ma...

Kibana 9.3.3 Security Update (ESA-2026-40)

Server-Side Request Forgery SSRF in Kibana Leading to Unauthorized Network Access Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound...

Kibana Fleet 8.19.16, 9.3.5, and 9.4.2 Security Update (ESA-2026-38)

Improper Input Validation in Kibana Fleet Leading to Privilege Escalation Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by...

Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-14)

Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service Inefficient Regular Expression Complexity CWE-1333 in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup CAPEC-492. Affected Versions: 8.x: All versio...

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-13)

Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation CWE-20 in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation CAPEC-153 Affected Versions: 8.x: All versions from 8.4.0 up to and including 8.19....

Elasticsearch 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-33)

Elasticsearch Allocation of Resources Without Limits or Throttling ESA-2025-33 Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation CAPEC-130 causing a persistent denial of service OOM crash via...

Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-28)

Kibana Cross-site Scripting via the Integration Package Upload Functionality ESA-2025-28 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an authenticated user to render an HTML page within a user’s browser via the integration package upload...

Elastic Agent 8.15.0 Security Update (ESA-2024-23)

Elastic Agent Insertion of Sensitive Information into Log File ESA-2024-23 An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. Affecte...

Elastic Stack 6.8.4 security update

Elasticsearch username disclosure flaw ESA-2019-13 A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. Affected Versions The following...

Elastic Stack 6.3.0 and 5.6.10 Security Update

Elasticsearch Information Exposure Vulnerability ESA-2018-10 In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the snapshot API. When the accesskey and securitykey parameters are set using the snapshot API they can be exposed as plain text by users able to query the...

Kibana 8.19.16, 9.3.5, 9.4.1 Security Update (ESA-2026-32)

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption CWE-400 in Kibana can lead to a denial of service via Excessive Allocation CAPEC-130. An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to...

Logstash 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-29)

Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write Improper Limitation of a Pathname to a Restricted Directory CWE-22 in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal CAPEC-139. The...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24)

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data,...

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12)

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input CWE-1284 in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation CAPEC-153. An...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-08)

Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation ESA-2026-08 Improper Input Validation CWE-20 in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation CAPEC-130 through a specially crafted email address parameter. This requires an...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-04)

Allocation of Resources Without Limits or Throttling in Kibana Fleet ESA-2026-04 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana Fleet can lead to Excessive Allocation CAPEC-130 via a specially crafted bulk retrieval request. This requires an attacker to have low-level...

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-35 Improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 allows an unauthenticated user to embed a malicious script in content that will be served to web browsers...

Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-29)

Packetbeat Allocation of Resources Without Limits or Throttling ESA-2025-29 Allocation of resources without limits or throttling CWE-770 allows an unauthenticated remote attacker to cause excessive allocation CAPEC-130 of memory and CPU via the integration of malicious IPv4 fragments, leading to ...

Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-24)

Kibana Origin Validation Error ESA-2025-24 Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Affected Versions: 8.12.0 up to and including 8.19.6 9.1.0 up to and including 9.1.6 9.2.0 Affected...

Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20)

Kibana Cross-Site Scripting XSS ESA-2025-20 Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. Affected Versions: 7.x: All versions prior to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.18.7 8.19.x: All...

Kibana 8.17.3 / 8.16.6 Security Update (ESA-2025-06)

Kibana arbitrary code execution via prototype pollution ESA-2025-06 Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions = 8.15.0 and = 8.15.0 and = 8.17.0 and 8.17.3 Solutions and Mitigations: Users...

Kibana 8.15.1 Security Update (ESA-2024-27, ESA-2024-28)

Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector ESA-2024-27 A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic...

APM Server 8.14.0 Security Update (ESA-2024-09)

APM Server - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 ESA-2024-09 On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In an on-prem...

Kibana 8.14.2 / 7.17.23 Security Update (ESA-2024-22)

Kibana arbitrary code execution via prototype pollution ESA-2024-22 A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability,...