VYPR
Medium severity4.6NVD Advisory· Published May 28, 2026· Updated May 29, 2026

CVE-2026-33462

CVE-2026-33462

Description

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • Elastic/Kibanainferred3 versions
    >=8.0,<8.19.16 || >=9.0,<9.3.5+ 2 more
    • (no CPE)range: >=8.0,<8.19.16 || >=9.0,<9.3.5
    • cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*range: >=8.0.0,<8.19.16
    • (no CPE)
  • osv-coords2 versions
    >= 8.0.0, < 8.19.16+ 1 more
    • (no CPE)range: >= 8.0.0, < 8.19.16
    • (no CPE)range: >= 8.0.0, < 8.19.16

Patches

Vulnerability mechanics

References

1

News mentions

1