Kibana: Elastic Discloses 10 CVEs in a Single Day — SSRF, DoS, and Privilege Escalation
Elastic disclosed 10 CVEs for Kibana on May 28, 2026, spanning SSRF bypasses, resource-exhaustion denial-of-service flaws, privilege escalation, and a stored HTML injection — with one high-severity bug scoring 7.7.
Key findings
- 10 CVEs disclosed in a single batch on May 28, 2026
- One High-severity SSRF (CVE-2026-42398, CVSS 7.7) bypasses connector allowlists
- Four DoS CVEs target resource exhaustion, one processes payloads before auth checks
- Fleet agent policy injection (CVE-2026-49095) enables privilege escalation
- Token expiration logic flaw (CVE-2026-33463) lets tokens outlive their validity window
- Path traversal (CVE-2026-33462) triggered when admins delete crafted dashboards
Elastic published a coordinated batch of 10 security advisories for Kibana on May 28, 2026, covering vulnerabilities that range from server-side request forgery (SSRF) and denial-of-service via resource exhaustion to privilege escalation, path traversal, and stored HTML injection. The disclosures, released within a one-hour window, affect multiple components of the popular data visualization and exploration platform and include one high-severity CVE alongside nine medium-severity issues.
SSRF bypasses lead the severity chart
The highest-rated vulnerability in the batch is CVE-2026-42398 (CVSSv3 7.7, High), a server-side request forgery flaw in Kibana's connector management feature. An authenticated user with connector management privileges can configure a Webhook connector with a crafted target to bypass the operator-configured connection allowlist, causing Kibana to issue outbound requests to destinations the egress restrictions were intended to block. A related but slightly lower-severity SSRF issue, CVE-2026-49093 (CVSSv3 6.3, Medium), similarly allows bypassing the connector allowlist — though with a different attack vector — enabling authenticated users to force the Kibana server to send requests to blocked destinations.
Denial-of-service cluster: four CVEs target resource exhaustion
Four of the disclosed CVEs fall under uncontrolled resource consumption (CWE-400), all leading to denial of service via excessive allocation (CAPEC-130). CVE-2026-49094 (CVSSv3 6.5) allows an authenticated user with viewer-level access to submit an oversized input value to an analytics collections management endpoint, consuming excessive CPU and memory. CVE-2026-42400 (CVSSv3 6.5) is notable because the specially crafted compressed request payload is processed *prior to authorization checks*, meaning the DoS condition can be triggered before access control is enforced. CVE-2026-42399 (CVSSv3 6.5) exploits deeply chained Timelion visualization expressions to cause exponentially increasing memory consumption from a low-privileged account. Finally, CVE-2026-33464 (CVSSv3 6.5) allows a low-privileged role to submit an oversized payload to an internal Kibana API, exhausting available resources.
Privilege escalation via Fleet agent policy injection
CVE-2026-49095 (CVSSv3 6.5, Medium) targets Kibana's Fleet agent policy management feature. An authenticated user with Fleet management privileges can inject values into a configuration override mechanism that lacks adequate input validation, leading to privilege escalation. This improper input validation (CWE-20) bug gives an attacker with already-elevated Fleet privileges a path to further escalate their standing within the platform.
Token expiration bypass and path traversal
CVE-2026-33463 (CVSSv3 5.3, Medium) is a logic error in how expiration timestamps are validated — an "operation on a resource after expiration or termination" (CWE-672) flaw. A time-bounded access token remains usable beyond its intended validity window, enabling an unauthenticated actor in possession of a leaked or intercepted token to extend its usefulness past the operator's intended expiry.
CVE-2026-33462 (CVSSv3 4.6, Medium) is a path traversal vulnerability in Kibana's dashboard management functionality. An authenticated user with limited permissions can create a dashboard with a specially crafted identifier. When an administrator later attempts to delete that dashboard through the Kibana interface, the deletion request triggers a path traversal condition.
Stored HTML injection
CVE-2026-42401 (CVSSv3 4.1, Medium) is a stored cross-site scripting-adjacent issue: improper neutralization of input during web page generation (CWE-79) allows a user with write access to an Elasticsearch index to persist crafted markup. When that markup is subsequently rendered through an affected Kibana view by another user, it is not sufficiently sanitized, resulting in stored HTML injection.
Patch status and mitigations
Elastic has released patches addressing all 10 CVEs in the latest Kibana versions. Users are strongly advised to upgrade to the patched release as soon as possible. For environments where immediate patching is not feasible, operators should review connector allowlist configurations (relevant to the SSRF bugs), restrict Fleet management privileges to trusted users only, and monitor for unusual resource consumption patterns that could indicate exploitation of the DoS CVEs. No in-the-wild exploitation has been publicly reported as of the disclosure date.
Why this batch matters
This disclosure event is notable for its breadth — 10 distinct CVEs touching nearly every major Kibana subsystem: connectors, Fleet, dashboards, Timelion visualizations, analytics collections, token management, and index rendering. The SSRF bypasses (CVE-2026-42398 and CVE-2026-49093) are particularly significant for organizations that rely on connector allowlists as an egress security boundary. The pre-authorization DoS vector in CVE-2026-42400 is also noteworthy because it circumvents access control entirely. Kibana administrators should prioritize patching and review their current version against Elastic's advisory to determine exposure.