Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Elastic
Kibana

elastic kibana Vulnerabilities: CVEs, CISA KEV & Security Advisories

118 CVEs

1 in CISA KEV

elastic kibana Vulnerabilities

CVE security advisories and vulnerability history for kibana by elastic.

118

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

4

Public exploits

With known exploit

6.7

Avg CVSS

2015–2026

Last updated May 28, 2026

Overview

elastic kibana has 118 published CVE records since 2015, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 4 have a known public exploit. The average CVSS base score across scored CVEs is 6.7.

This page aggregates every publicly disclosed vulnerability (CVE) affecting elastic kibana, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list. Affected platforms include Windows.

Severity and exploitation

How the CVSS severity of elastic kibana's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical8

High17

Medium47

Low1

45 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of elastic kibana's CVEs is confirmed exploited in the wild.

Public exploits

4

4 of elastic kibana's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every elastic kibana version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

Fixed in

> 7.17.2913 CVEs
> 8.19.158 CVEs
8.19.168 CVEs
> 9.3.47 CVEs
7.17.237 CVEs
9.3.57 CVEs
89cafc519e1d6e0e08d8cf5c13eee6886fe6e4126 CVEs
9.3.36 CVEs
> 9.3.25 CVEs
9.2.85 CVEs
> 8.18.74 CVEs
> 8.19.134 CVEs
> 8.19.94 CVEs
> 9.1.94 CVEs

Find a version

118 CVEs

Sort

Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
CVE-2026-49093
Patch
CWE-918
Medium · CVSS 6.3
EPSS 0.0% (10th pct)2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-49094
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.0% (15th pct)2026-05-28
Improper Input Validation in Kibana Fleet Leading to Privilege Escalation
CVE-2026-49095
Patch
CWE-20
High · CVSS 7.2
EPSS 0.1% (22th pct)2026-05-28
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
CVE-2026-42398
Patch
CWE-918
High · CVSS 7.7
EPSS 0.0% (10th pct)2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-42399
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.0% (15th pct)2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-42400
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.0% (15th pct)2026-05-28
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
CVE-2026-42401
Patch
CWE-79
Medium · CVSS 4.1
EPSS 0.0% (7th pct)2026-05-28
Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access
CVE-2026-33463
Patch
CWE-672
Medium · CVSS 5.3
EPSS 0.1% (21th pct)2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-33464
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.0% (15th pct)2026-05-28
Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts
CVE-2026-33462
Patch
CWE-22
Medium · CVSS 4.6
EPSS 0.0% (8th pct)2026-05-28
Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
CVE-2026-33458
Patch
CWE-918
Medium · CVSS 6.8
EPSS 0.0% (15th pct)2026-04-08
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-33459
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.1% (17th pct)2026-04-08
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
CVE-2026-33460
Patch
CWE-863
Medium · CVSS 4.3
EPSS 0.0% (7th pct)2026-04-08
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
CVE-2026-33461
Patch
CWE-863
High · CVSS 7.7
EPSS 0.1% (17th pct)2026-04-08
Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
CVE-2026-4498
Patch
CWE-250
High · CVSS 7.7
EPSS 0.1% (20th pct)2026-04-08
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
CVE-2026-26940
Patch
CWE-1284
Medium · CVSS 6.5
EPSS 0.1% (23th pct)2026-03-19
Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration
CVE-2026-26939
Patch
CWE-862
Medium · CVSS 6.5
EPSS 0.0% (13th pct)2026-03-19
Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)
CVE-2026-26938
Patch
CWE-1336
High · CVSS 8.6
EPSS 0.1% (23th pct)2026-02-26
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CVE-2026-26937
Patch
CWE-400
Medium · CVSS 6.5
EPSS 0.1% (20th pct)2026-02-26
Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service
CVE-2026-26936
Patch
CWE-1333
Medium · CVSS 4.9
EPSS 0.1% (24th pct)2026-02-26
Improper Input Validation in Kibana Leading to Denial of Service
CVE-2026-26935
Patch
CWE-20
Medium · CVSS 6.5
EPSS 0.1% (27th pct)2026-02-26
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
CVE-2026-26934
Patch
CWE-1284
Medium · CVSS 6.5
EPSS 0.1% (23th pct)2026-02-26
External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector
CVE-2026-0532
Patch
CWE-918
High · CVSS 8.6
EPSS 0.1% (17th pct)2026-01-14
Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation
CVE-2026-0543
Patch
CWE-20
Medium · CVSS 6.5
EPSS 0.1% (31th pct)2026-01-13
Allocation of Resources Without Limits or Throttling in Kibana Fleet
CVE-2026-0531
Patch
CWE-770
Medium · CVSS 6.5
EPSS 0.1% (24th pct)2026-01-13
Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation
CVE-2026-0530
Patch
CWE-770
Medium · CVSS 6.5
EPSS 0.1% (23th pct)2026-01-13
Improper Input Validation in Metricbeat Leading to Denial of Service
CVE-2026-0528
Patch
CWE-129
Medium · CVSS 6.5
EPSS 0.1% (29th pct)2026-01-13
Kibana Improper Authorization
CVE-2025-68422
Patch
CWE-863
Medium · CVSS 4.3
EPSS 0.0% (9th pct)2025-12-18
Kibana Improper Authorization
CVE-2025-68386
Patch
CWE-863
Medium · CVSS 4.3
EPSS 0.0% (8th pct)2025-12-18
Kibana Allocation of Resources Without Limits or Throttling
CVE-2025-68389
Patch
CWE-770
Medium · CVSS 6.5
EPSS 0.3% (58th pct)2025-12-18

Showing 30 of 118

Common weakness types

The CWE weakness categories most often found in elastic kibana CVEs. Follow any weakness for its full explanation.

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')24 CVEs
CWE-400Uncontrolled Resource Consumption10 CVEs
CWE-601URL Redirection to Untrusted Site ('Open Redirect')9 CVEs
CWE-94Improper Control of Generation of Code ('Code Injection')8 CVEs
CWE-770Allocation of Resources Without Limits or Throttling6 CVEs
CWE-918Server-Side Request Forgery (SSRF)6 CVEs
CWE-863Incorrect Authorization5 CVEs
CWE-20Improper Input Validation4 CVEs

Disclosure activity by year

How many elastic kibana CVEs were published each year.

2015

2

2017

14

2018

7

2019

6

2020

6

2021

5

2022

7

2023

10

2024

8

2025

26

2026

27

Other elastic products

Browse vulnerabilities for other products by elastic.

elasticsearch49 CVEs logstash16 CVEs elastic cloud enterprise10 CVEs x-pack9 CVEs beats8 CVEs Packetbeat7 CVEs APM Server6 CVEs Elastic X-Pack Security6 CVEs

All elastic vulnerabilities

Frequently asked questions

Common questions about elastic kibana vulnerabilities.

How many CVEs does elastic kibana have?

elastic kibana has 118 published CVE records since 2015.

How many elastic kibana CVEs are in CISA KEV?

Yes — 1 of elastic kibana's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Are there public exploits for elastic kibana vulnerabilities?

Yes — 4 of elastic kibana's CVEs have a known public exploit.

Which versions of elastic kibana are affected?

493 distinct elastic kibana versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in elastic kibana CVEs?

elastic kibana's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-400 (Uncontrolled Resource Consumption), CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')), CWE-94 (Improper Control of Generation of Code ('Code Injection')).

How many critical elastic kibana vulnerabilities are there?

elastic kibana has 8 critical and 17 high-severity CVEs.

What is the average severity of elastic kibana CVEs?

The average CVSS base score across elastic kibana's scored CVEs is 6.7.

References

All elastic vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track elastic kibana vulnerabilities

Monitor new elastic kibana vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References

> 9.2.34 CVEs

> 9.2.74 CVEs

> 9.3.04 CVEs

3c5e7066866006c39ba40861ab0c05b6406ed3574 CVEs

7.17.294 CVEs

8.14.04 CVEs

8.15.04 CVEs

8.19.144 CVEs

8aa0b59da12c996e3048d8875446667ee6e15c7f4 CVEs

9.1.104 CVEs

9.2.44 CVEs

b05a85503d4590280c7e9263175269a5f4a097294 CVEs

f6e2f2e44cc0a6a11435f1b6350f735e23bef4b44 CVEs

> 8.19.113 CVEs

> 8.19.43 CVEs

> 8.19.83 CVEs

> 9.0.73 CVEs

> 9.1.43 CVEs

> 9.1.83 CVEs

> 9.2.23 CVEs

> 9.2.53 CVEs

08ece643671f3ee61a7297b3e67aa99e79a1aef73 CVEs

126c439648663caa7554075ebc3d1e9a6f8ad93c3 CVEs

3bc2979d1d65982aee7d13ebd65434c3470dc8083 CVEs

3db3deaf7462e4deb623412b331718062bae3d773 CVEs

42f1c10f1e8aa480aaf63cdd403d2f3a3eb42cd33 CVEs

4fac8383dfc0031e7def1e69a9a7ae5a5694bf663 CVEs

5.6.153 CVEs

6.1.33 CVEs

6.6.13 CVEs

6803805478ed373f560b161907994536f4cafef73 CVEs

8.18.83 CVEs

8.19.103 CVEs

8.19.123 CVEs

8.19.93 CVEs

9.1.93 CVEs

9.2.33 CVEs

9.2.63 CVEs

c0c81857d435f499ec2514d9a4823e3dc87021bd3 CVEs

e4f1e8f824c4cdc70bfa09a5ec734d71083664563 CVEs

> 8.13.42 CVEs

> 8.15.02 CVEs

> 8.19.102 CVEs

> 8.19.62 CVEs

> 8.19.72 CVEs

> 9.1.62 CVEs

> 9.1.72 CVEs

> 9.2.12 CVEs

> 9.2.42 CVEs

> 9.3.12 CVEs

> 9.4.12 CVEs

00b0b0440dbf6f8c542448473e020c99d352a0f52 CVEs

00d0f493b91e3215703b8c8a64ec09966216ed952 CVEs

16276053a4c29c654785bb35bce6b512c15435b12 CVEs

196ec3974d4c725a3d937725419e5ed7d8fdb1042 CVEs

1fb7cb47c5ffdbd0fae1b8ac24fd84158f33e0852 CVEs

28cf679904329ed50de370ff1e1e71f1b57996a12 CVEs

2ceb68bd03a3cc20c26495ec986ed4f244589d692 CVEs

3223f0953e9361aa0317520c49c8b4c3796cc4c32 CVEs

4.1.112 CVEs

4.5.42 CVEs

43696930d77d3bb567e445624874eab9cf3638722 CVEs

4a62c99c68a5156b84e1bf986d47e0a3175918202 CVEs

5.6.72 CVEs

50d89958910ab6fa9b8c4f4f40c53e89ad6dbbe12 CVEs

5f55be16d833f6df054715d37659874bcecaa0b12 CVEs

6c427d979e2b3a65eea87f31ba4b65dc579ee2f02 CVEs

6ecd757760927423daa344d901e634b43497e16d2 CVEs

7.13.02 CVEs

7.14.02 CVEs

7.14.12 CVEs

7.15.22 CVEs

7.17.222 CVEs

7.17.23, 8.14.22 CVEs

7.17.92 CVEs

8.12.12 CVEs

8.14.22 CVEs

8.19.112 CVEs

8.19.52 CVEs

8.19.72 CVEs

8.19.82 CVEs

8221b17926966fd1e433367d6f725a69f321d5ad2 CVEs

9.0.82 CVEs

9.1.52 CVEs

9.1.72 CVEs

9.1.82 CVEs

9.2.22 CVEs

9.2.52 CVEs

9.3.22 CVEs

9.4.22 CVEs

9863e88bd63ad546b9d36e6b0c0c55cb65dd90812 CVEs

a2a93735478172a315d2ced4aded3024cc0296482 CVEs

c0340ed35c591c77a90ebf1c790c20aa075716722 CVEs

c14722b56e3d34d5203bd311e91f9ec49227b0442 CVEs

c55c5d9acf510bed020a4fdc1c4ca8c81c7b7a1b2 CVEs

f99524135b3b29ff4011629c9e8511086b1a597a2 CVEs

> 7.17.221 CVE

> 7.17.281 CVE

> 8.17.71 CVE

> 8.18.21 CVE

> 8.19.121 CVE

> 8.19.31 CVE

> 8.19.51 CVE

> 9.0.21 CVE

> 9.0.51 CVE

> 9.0.61 CVE

> 9.1.21 CVE

> 9.1.31 CVE

> 9.1.51 CVE

> 9.2.61 CVE

> 9.4.01 CVE

042db7248f4083cb1659298cf6a84625b71fbf581 CVE

09feaf416f986b239b8e8ad95ecdda0f9d56ebec1 CVE

1dd8afaeb2983465709102953afc344ff736b27d1 CVE

28847d93343b5a3adfb1bcb953866a6705ab746f1 CVE

2a6387559c5754976a6a9c94ef2d8e4b55f2617b1 CVE

2e3a5cd43e835baa1d596b1aa54735992259ecb91 CVE

3457f326b763887d154c9da00bd4e489221a2ff31 CVE

39969cb4b1ab957faf1e78d25d83ec04192ddc211 CVE

3b8379b249b9b5ab0c3c2ee245cd7d62ad93ab4d1 CVE

3c8a373dd4837e89b3f970e01295dd03e1405a331 CVE

4.1.31 CVE

4.2.11 CVE

4c2492450a50cd000fcd85edf668b758286861961 CVE

4d74e2c041a2e9b7c6cefe20d106cde5f3d2439c1 CVE

4fb3ec3c959e4c569aca4674243a2ecba9d973a71 CVE

5.6.131 CVE

57608cbf53423b24acae7c1e589faf57a6bacaf21 CVE

5838d16e60eb684b785702c80ff41e59d344fe1f1 CVE

6.4.31 CVE

6.8.101 CVE

6.8.151 CVE

6.8.161 CVE

6.8.21 CVE

6.8.61 CVE

6.8.91 CVE

60a9838d21b6420bbdb5a4d07099111b74c68ceb1 CVE

689427c076a5a45dc59d113df04bd4522c1053911 CVE

6d05841a418cfec4a88f0afbee172bccd9f0cded1 CVE

7.12.01 CVE

7.12.11 CVE

7.17.01 CVE

7.17.11 CVE

7.17.161 CVE

7.17.181 CVE

7.17.191 CVE

7.17.241 CVE

7.17.31 CVE

7.17.51 CVE

7.2.11 CVE

7.5.11 CVE

7.7.01 CVE

7.7.11 CVE

70e0ee45ae6f2e5cd35b7af4822d86ffa877ad9c1 CVE

78e8422ed4e7d2054bd35b82a91299b3f7bd62311 CVE

7c4882bd34f27e726bd4c662e4536e7deb9113fc1 CVE

8.1.31 CVE

8.11.11 CVE

8.11.21 CVE

8.11.41 CVE

8.12.01 CVE

8.13.01 CVE

8.15.11 CVE

8.16.41 CVE

8.16.61 CVE

8.17.11 CVE

8.17.21 CVE

8.17.31 CVE

8.17.61 CVE

8.17.81 CVE

8.18.11 CVE

8.18.31 CVE

8.19.01 CVE

8.19.131 CVE

8.19.41 CVE

8.6.11 CVE

8.6.21 CVE

8542051ee8adba98f671a18cff02910fcd1f06fc1 CVE

9.0.11 CVE

9.0.31 CVE

9.0.61 CVE

9.0.71 CVE

9.1.31 CVE

9.1.41 CVE

9.2.01 CVE

9.2.71 CVE

92746356b61c3e3ac62b6d7045727f8d737fa4b51 CVE

968768f01f873fec244749abc3c6e939d0e3eda01 CVE

9ac86ca77adb4dc5793e20f76695563f0be31f0a1 CVE

9d44cc2d50d27f4d3ae7b72f0fe6b612508674bb1 CVE

a174acf677e77d280e3cbbbd8ffb6eca6db808461 CVE

a8042692500503cca8f3d4aed3c38da398c22f9d1 CVE

aabd37e8a9069bed4f63b8c457a6829f4581ab971 CVE

abb04c5543d2201630c9669fe3680864506d924e1 CVE

b7f9a41f486a2910ef22a1274ec734219c35ca3e1 CVE

c44c8c44c82ed80d1ae3dd990291dcc85b7a27dc1 CVE

c9d7ee0739b7d6af7553e326075e81728534ab441 CVE

cd49631953cd3a928d6dbaadc722fe1d51191fa41 CVE

d7985c80643203de533d99844eb1b53cae85f8f91 CVE

dcd0a101ed880bb10a4dcf511b91fd611d8c805d1 CVE

dd7258ddc9c294cb93a248c2fa0d09e886596d911 CVE

e13d5b1fed429df03e29af259ffccd64532509471 CVE

e9092c0a17923f4ed984456b8a5db619b0a794b31 CVE

f027fad862817a52175b9ad2663e5126b9bad4281 CVE

f287f702223d72e963bf7ea663b89868fec88e111 CVE

f66ec5b0ddd990d103489c47ca1bcb97dc50bc6b1 CVE

faabb4e47ac99b6f367713ef845613b7313914b81 CVE

ffd4de9b9f5a85037c2acfcaecdc566975bb63551 CVE

ffd7cbf34ac1234c78354f2a22ef5f1703c04eaf1 CVE