CVE-2026-33462
Description
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal in Kibana's dashboard management allows an authenticated low-privilege user to craft a dashboard ID that, when deleted by an admin, can delete user accounts or other resources.
Vulnerability
A path traversal vulnerability (CWE-22) exists in Kibana's dashboard management functionality. An authenticated user with limited permissions can create a dashboard with a specially crafted identifier containing path traversal sequences. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint. This affects Kibana versions 8.0.0 through 8.19.15 and 9.0.0 through 9.3.4 [1].
Exploitation
Exploitation requires an authenticated attacker with dashboard creation permissions (e.g., Analytics > Dashboard > All). The attacker creates a dashboard with a malicious identifier containing path traversal sequences. The attacker then must induce an administrator to perform a delete action on that dashboard. When the administrator deletes the dashboard, the crafted identifier causes the deletion request to be redirected to an unintended internal endpoint, such as one handling user account deletion [1].
Impact
Successful exploitation allows the attacker to cause unauthorized deletion of user accounts or other resources. The impact is on integrity and availability, as the attacker can remove critical system objects. The attacker does not gain direct access but leverages an administrator's action to achieve the deletion [1].
Mitigation
The vulnerability is fixed in Kibana versions 8.19.16 and 9.3.5 [1]. For users who cannot upgrade, restrict dashboard creation permissions to trusted users only and limit the Analytics > Dashboard > All permission to authorized personnel. Administrators should review Kibana audit logs for dashboard deletion events that correspond to unexpected security-sensitive operations or identifiers containing path traversal sequences. Elastic Cloud Serverless was remediated before public disclosure [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2209c12d77d1b[Scout] Update test config manifests (#270528)
1 file changed · +130 −18
x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/.meta/ui/standard.json+130 −18 modified@@ -1,5 +1,5 @@ { - "sha1": "50b5dfba62ac64690de376d8bc22cd52d75b4e93", + "sha1": "d17dc6f8487721a630d816876f7496bd8d02b0cc", "tests": [ { "id": "709f30ae5fb788f-05a1663c9e84f0e", @@ -221,7 +221,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 71, + "line": 74, "column": 7 } }, @@ -235,7 +235,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 77, + "line": 80, "column": 7 } }, @@ -249,7 +249,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 100, + "line": 103, "column": 7 } }, @@ -263,7 +263,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 108, + "line": 111, "column": 7 } }, @@ -277,7 +277,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 112, + "line": 115, "column": 7 } }, @@ -291,7 +291,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 118, + "line": 121, "column": 7 } }, @@ -305,7 +305,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 137, + "line": 141, "column": 7 } }, @@ -319,7 +319,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 144, + "line": 148, "column": 7 } }, @@ -333,7 +333,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 152, + "line": 156, "column": 7 } }, @@ -347,7 +347,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 161, + "line": 165, "column": 7 } }, @@ -361,7 +361,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 177, + "line": 181, "column": 7 } }, @@ -375,7 +375,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 192, + "line": 196, "column": 7 } }, @@ -389,7 +389,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 202, + "line": 206, "column": 7 } }, @@ -403,7 +403,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 218, + "line": 222, "column": 7 } }, @@ -417,7 +417,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 226, + "line": 233, "column": 7 } }, @@ -431,7 +431,7 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 233, + "line": 240, "column": 7 } }, @@ -445,7 +445,119 @@ ], "location": { "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/discovery.spec.ts", - "line": 243, + "line": 250, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-79d3cf13237ee2d", + "title": "Discover ES|QL should switch the query bar to ES|QL and display the default sample query", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 155, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-75f10f82cef9fbf", + "title": "Discover ES|QL should display a metric visualization for ES|QL STATS queries (count and sum)", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 174, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-1081a7397d42c88", + "title": "Discover ES|QL should open the inline edit visualization flyout for an ES|QL chart", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 189, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-4b67968e425b300", + "title": "Discover ES|QL should save an ES|QL visualization to a new dashboard from Discover", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 210, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-dc0e7a2eb6e2df6", + "title": "Discover ES|QL should edit, explore in Discover, and copy an ES|QL panel from a dashboard", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 230, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-f21c2c6ffe20444", + "title": "Discover ES|QL should restrict sidebar fields and grid columns to KEEP-listed fields", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 284, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-8bbbfff9121d488", + "title": "Discover ES|QL should embed a saved ES|QL Discover session on a dashboard and interact with its table", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 305, + "column": 7 + } + }, + { + "id": "7b807c730155cc2-ab47176f22b71bd", + "title": "Discover ES|QL should save an ES|QL bar histogram to a dashboard and edit it inline", + "expectedStatus": "passed", + "tags": [ + "@local-stateful-classic", + "@cloud-stateful-classic" + ], + "location": { + "file": "x-pack/platform/packages/private/kbn-scout-release-testing/test/scout/ui/tests/discover/esql.spec.ts", + "line": 347, "column": 7 } },
db396449a69d[9.3] [Scout] Don't create test track if no load candidates are identified (#270584) (#270599)
3 files changed · +29 −4
src/platform/packages/shared/kbn-scout/src/cli/create_test_tracks.ts+15 −3 modified@@ -549,19 +549,31 @@ export const createTestTracks: Command<void> = { : [...new Set(loads.map((load) => load.config.server.configSet))]; // Each server config set gets its own track - return configSets.map((configSet) => { + return configSets.flatMap((configSet): TestTrack[] => { log.info( `Building test track for test target '${target.tag}' with server config set '${configSet}'` ); + + const enabledLoads = loads.filter( + (load) => load.enabled && load.config.server.configSet === configSet + ); + + if (enabledLoads.length === 0) { + log.warning( + `No enabled test loads found for test target '${target.tag}' and server config set '${configSet}'` + ); + return []; + } + const track = buildTrack( Math.max(minimumRuntime, runtimeTarget), estimatedLaneSetupDuration, target, - loads.filter((load) => load.enabled && load.config.server.configSet === configSet), + enabledLoads, log ); track.metadata.server = { configSet }; - return track; + return [track]; }); }) .toArray();
src/platform/packages/shared/kbn-scout/src/execution/test_track.test.ts+10 −0 modified@@ -19,6 +19,16 @@ describe('TestTrack', () => { expect(track.leastLoadedOpenLane).toBe(undefined); }); + it('should produce valid stats for an empty track specification', () => { + const track = new TestTrack({ runtimeTarget: 10 }); + const spec = track.specification; + + expect(spec.stats.lane.count).toBe(0); + expect(spec.stats.lane.saturationPercent).toBe(0); + expect(spec.stats.combinedRuntime.target).toBe(0); + expect(spec.lanes).toEqual([]); + }); + it('closes the lane when one load fills it entirely', () => { const track = new TestTrack({ runtimeTarget: 10 });
src/platform/packages/shared/kbn-scout/src/execution/test_track.ts+4 −1 modified@@ -236,7 +236,10 @@ export class TestTrack { stats: { lane: { count: this.laneCount, - saturationPercent: parseFloat(((expectedRuntime / provisionedRuntime) * 100).toFixed(2)), + saturationPercent: + provisionedRuntime !== 0 + ? parseFloat(((expectedRuntime / provisionedRuntime) * 100).toFixed(2)) + : 0, longestEstimate: longestLaneEstimate, shortestEstimate: shortestLaneEstimate, },
Vulnerability mechanics
Root cause
"Missing input validation on dashboard object identifiers allows path traversal characters, causing the deletion request to be redirected to an unintended internal endpoint."
Attack vector
An authenticated attacker with limited permissions crafts a dashboard whose identifier contains path traversal sequences (e.g., `../`). When an administrator later deletes this dashboard through the Kibana UI, the application constructs a deletion request URL using the unsanitized identifier, causing the request to target an internal endpoint outside the intended dashboard management scope. This can result in the unauthorized deletion of user accounts or other resources. The attack requires social engineering to induce an administrator to perform the delete action on the malicious dashboard object.
Affected code
The bundle does not identify the specific functions or files at fault. The vulnerability resides in Kibana's dashboard management functionality, specifically in the code path that constructs deletion request URLs from dashboard object identifiers. No patch file in the bundle touches this code.
What the fix does
The two patches provided ([patch_id=2980742], [patch_id=2980743]) are unrelated to the path traversal vulnerability — they update Scout test configuration manifests and add guards for empty test tracks. The bundle does not contain a patch that addresses the path traversal issue described in the CVE. No remediation code is shown in the supplied patches, so the advisory's recommended fix (input validation/sanitization of dashboard identifiers) is not observable in the provided diff.
Preconditions
- authAttacker must be authenticated with at least dashboard creation privileges.
- inputAttacker must craft a dashboard object identifier containing path traversal sequences.
- networkAttacker must have network access to the Kibana instance.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.