CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-33467 – Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
https://notcve.org/view.php?id=CVE-2026-33467
28 Apr 2026 — Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. • https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-33466 – Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write
https://notcve.org/view.php?id=CVE-2026-33466
08 Apr 2026 — Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Lo... • https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-33458 – Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
https://notcve.org/view.php?id=CVE-2026-33458
08 Apr 2026 — Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. • https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-33459 – Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
https://notcve.org/view.php?id=CVE-2026-33459
08 Apr 2026 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. • https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-33460 – Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
https://notcve.org/view.php?id=CVE-2026-33460
08 Apr 2026 — Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not aut... • https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2026-33461 – Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
https://notcve.org/view.php?id=CVE-2026-33461
08 Apr 2026 — Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the d... • https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812 • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2026-4498 – Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
https://notcve.org/view.php?id=CVE-2026-4498
08 Apr 2026 — Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). • https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-26940 – Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
https://notcve.org/view.php?id=CVE-2026-26940
19 Mar 2026 — Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value. Validación incorrecta de cantidad especificada en la entrada (CWE-1284) en el plugin de visualización Timelion en Kibana puede conducir a denegación de s... • https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535 • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-26939 – Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration
https://notcve.org/view.php?id=CVE-2026-26939
19 Mar 2026 — Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges. Autorización Faltante (CWE-862) en la Gestión de Reglas de Detección del lado del servidor de Kibana puede llevar a la Configuración de Acciones de Respuesta d... • https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530 • CWE-862: Missing Authorization •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-26931 – Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service
https://notcve.org/view.php?id=CVE-2026-26931
19 Mar 2026 — Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130). Asignación de memoria con un valor de tamaño excesivo (CWE-789) en el gestor HTTP Prometheus remote_write en Metricbeat puede provocar denegación de servicio mediante asignación excesiva (CAPEC-130). • https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532 • CWE-789: Memory Allocation with Excessive Size Value •