Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-27)

Elasticsearch Improper Authentication ESA-2025-27 Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate...

Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-24)

Kibana Origin Validation Error ESA-2025-24 Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Affected Versions: 8.12.0 up to and including 8.19.6 9.1.0 up to and including 9.1.6 9.2.0 Affected...

Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-25 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840...

Elastic Defend 8.19.6, 9.1.6, and 9.2.0 Security Update (ESA-2025-23)

Elastic Defend Improper Preservation of Permissions ESA-2025-23 Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation...

Elastic Cloud Enterprise (ECE) 3.8.3 and 4.0.3 Security Update (ESA-2025-22)

Elastic Cloud Enterprise Improper Authorizatio n ESA-2025-22 Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:...

Elastic Cloud Enterprise (ECE) 3.8.2 and 4.0.2 Security Update (ESA-2025-21)

Elastic Cloud Enterprise ECE Improper Neutralization of Special Elements Used in a Template Engine ESA-2025-21 Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise ECE can lead to a malicious actor with Admin access exfiltrating sensitive information a...

Kibana - Crowdstrike Connector 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-19)

Kibana Insufficiently Protected Credentials in the CrowdStrike Connector ESA-2025-19 Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from an Elastic Crowdstrike connector in another...

Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)

Elasticsearch Insertion of sensitive information in log file ESA-2025-18 Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affected Versions: 7.x: All versions from 7.0.0 and u...

Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17)

Kibana Stored Cross-Site-ScriptingXSS ESA-2025-17 Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x...

Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)

Kibana Cross-Site-Scripting XSS ESA-2025-16 Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and...

Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20)

Kibana Cross-Site Scripting XSS ESA-2025-20 Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. Affected Versions: 7.x: All versions prior to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.18.7 8.19.x: All...

Enterprise Search 8.18.6, 8.19.3 Security Update (ESA-2025-15) (CVE-2025-54988)

Enterprise Search XML external entity XXE injection in Apache Tika ESA-2025-15 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to...

Elasticsearch 8.18.6, 8.19.3, 9.0.6, and 9.1.3 Security Update (ESA-2025-14) (CVE-2025-54988)

Elasticsearch XML external entity XXE injection in Apache Tika ESA-2025-14 On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provid...

Kibana 9.0.6, 9.1.3 Security Update (ESA-2025-13)

Kibana privilege escalation viareportinguser role ESA-2025-13 Incorrect authorization in Kibana can lead to privilege escalation via the built-in reportinguser role which incorrectly has the ability to access all Kibana Spaces. Affected Versions: Kibana versions starting from and including 9.0.0,...

Elastic Response to Blog ‘EDR 0-Day Vulnerability’

Updated: August 29, 2025 Elastic has been directly engaging with the independent researcher. After evaluating additional information provided by the researcher, our original assessment still stands. To confirm we are responsibly assessing this report and providing an unbiased perspective, we are...

Beats (Windows Installer) 8.18.6, 8.19.3, 9.0.6, & 9.1.0 Security Update (ESA-2025-12)

Beats Uncontrolled Search Path Element can lead to Local Privilege Escalation LPE when using the Windows Installer ESA-2025-12 An uncontrolled search path element vulnerability can lead to local privilege Escalation LPE via Insecure Directory Permissions. The vulnerability arises from improper...

APM Server (Windows Installer) 8.16.3, 8.17.1 Security Update (ESA-2025-01)

APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation LPE when using the Windows Installer ESA-2025-01 An uncontrolled search path element vulnerability can lead to local privilege Escalation LPE via Insecure Directory Permissions. The vulnerability arises from improp...

Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-10)

Kibana Open Redirect ESA-2025-10 URL redirection to an untrusted site 'Open Redirect' in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. Affected Versions: Kibana versions up to and including 7.17.28, 8.0.0 up to and including...

Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion ESA-2025-09 On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability. Affected Versions: Kibana versions up to and including...

Kibana 8.12.1 Security Update (ESA-2024-21)

Kibana Improper Authorization ESA-2024-21 Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. Affected Versions: Kibana versions before and including 8.12.0. Solutions and Mitigations: The issue is resolved in versions 8.12.1. Fo...

Logstash 8.17.6, 8.18.1, and 9.0.1 Security Update (ESA-2025-08)

Logstash Improper Certificate Validation in TCP output ESA-2025-08 Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle MitM attack in “client” mode, as hostname verification in TCP output was not being performed when the sslverificationmode = full was set...

Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07)

Kibana arbitrary code execution via prototype pollution ESA-2025-07 A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected Versions: 8.3.0 to 8.17.5, and 8.18.0, and 9.0.0 Affected...

Kibana 7.17.24 and 8.12.0 Security Update (ESA-2024-20)

Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS ESA-2024-20 Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetic...

Kibana 7.17.19 and 8.13.0 Security Update (ESA-2024-47)

Kibana Unrestricted Upload of File ESA-2024-47 Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Affected Versions: 7.17.0 to 7.17.18 and 8.0.0 to 8.12.3 Solutions...

APM Server 8.16.1 Security Update (ESA-2024-41)

APM Server Insertion of Sensitive Information into Log File ESA-2024-41 APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs. Affected...

Elasticsearch 7.17.25 and 8.16.0 Security Update (ESA-2024-40)

Elasticsearch Uncontrolled Resource Consumption vulnerabilityESA-2024-40 Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. Affected Versions:...

Elastic Agent 7.17.25 and 8.15.4 Security Update (ESA-2024-39)

Elastic Agent Inclusion of Functionality from Untrusted Control Sphere ESA-2024-39 Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the...

Logstash 8.15.3 Security Update (ESA-2024-38)

Logstash affected by CVE-2024-47561 in Apache Avro ESA-2024-38 On October 3, 2024, CVE-2024-47561 was published, which can lead to execution of arbitrary code. The issue only affects users using the Kafka integration plugin and only if a malicious schema is loaded through the schema registry...

Elastic Agent / Elastic Endpoint Security Security Update (ESA-2025-03)

Elastic Agent / Elastic Endpoint Security local API key disclosure ESA-2025-03 Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was...

Elasticsearch 7.17.24 and 8.15.1 Security Update (ESA-2024-37)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-37 An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. Affected Versions: Elasticsearch versions 7.17....

Kibana 7.17.23 and 8.15.1 Security Update (ESA-2024-36)

Kibana Uncontrolled Resource Consumption vulnerability ESA-2024-36 An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned ...

Logstash 8.15.3, 8.16.0 Security Update (ESA-2024-48)

Logstash Inefficient Regular Expression Complexity ESA-2024-48 On October 28th, 2024, Ruby announced CVE-2024-49761 in rexml which can lead to ReDoS when parsing XML that has many digits between & and x...; in a hex numeric character reference &x...;. The issue only affects users that use the...

Elastic Defend 8.17.3 Security Update (ESA-2025-05)

Elastic Defend Insertion of Sensitive Information into Log Files ESA-2025-05 Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. This...

Logstash 8.15.1 Security Update (ESA-2024-35)

Logstash Uncontrolled Resource Consumption vulnerability ESA-2024-35 On August 19, 2024, Floraison announced CVE-2024-43380, which affects fugit "natural" parser. The parser turns natural language into a cron date and was found to accept any length of input, causing an uncontrolled resource...

Elasticsearch 8.15.1 Security Update (ESA-2024-34)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-34 A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious...

Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02)

Kibana Prototype Pollution can lead to code injection ESA-2025-02 Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected Versions: Kibana versions 8.16.1 up to and including 8.16.3, and 8.17.0 up to and including 8.17.1 Solutio...

Kibana 8.17.3 / 8.16.6 Security Update (ESA-2025-06)

Kibana arbitrary code execution via prototype pollution ESA-2025-06 Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions = 8.15.0 and = 8.15.0 and = 8.17.0 and 8.17.3 Solutions and Mitigations: Users...

Kibana 7.17.23/8.15.0 Security Updates (ESA-2024-32, ESA-2024-33)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-33 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the...

Fleet Server 8.15.0 Security Update ( ESA-2024-31)

Fleet Server sensitive information exposure via logs ESA-2024-31 An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled...

Kibana 8.15.0 Security Update (ESA-2024-29, ESA-2024-30)

Kibana server-side request forgery ESA-2024-29 A server side request forgery vulnerability was identified in Kibana where the /api/fleet/healthcheck API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that retu...

Kibana 7.17.23 and 8.14.2 Security Update (ESA-2024-26)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-26 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/logentries/summary. This can be carried out by users with read access to the...

Elasticsearch 7.17.21 and 8.13.3 Security Update (ESA-2024-25)

Elasticsearch allocation of resources without limits or throttling leads to crash ESA-2024-25 An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. Affected...

Elastic Defend 8.13.3 Security Update (ESA-2024-24)

Elastic Defend Improper Handling of Alternate Encoding Leads to Crash ESA-2024-24 Improper handling of alternate encoding occurs when Elastic Defend on Windows systems attempts to scan a file or process encoded as a multibyte character. This leads to an uncaught exception causing Elastic Defend t...

Elasticsearch 8.16.2 / 8.17.0 Security Update

Elasticsearch Incorrect Authorization ESA-2024-46 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow...

Kibana 8.15.1 Security Update (ESA-2024-27, ESA-2024-28)

Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector ESA-2024-27 A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic...

APM Server 8.14.0 Security Update (ESA-2024-09)

APM Server - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 ESA-2024-09 On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In an on-prem...

Elastic Agent 8.15.0 Security Update (ESA-2024-23)

Elastic Agent Insertion of Sensitive Information into Log File ESA-2024-23 An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. Affecte...

Kibana 8.14.2 / 7.17.23 Security Update (ESA-2024-22)

Kibana arbitrary code execution via prototype pollution ESA-2024-22 A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability,...

APM Server 8.14.0 Security Update (ESA-2024-19)

APM Server Insertion of Sensitive Information into Log File ESA-2024-19 APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailableshardsexception for a specific document, since the ES response line contains the document body, and that APM...

Elasticsearch 8.13.0/7.17.23 Security Update (ESA-2024-12)

Elasticsearch elasticsearch-certutil csr fails to encrypt private key ESA-2024-12 It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is...