Kibana
Sign in to watchby Elastic
Source repositories
CVEs (101)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4498 | Hig | 0.50 | 7.7 | 0.00 | Apr 8, 2026 | Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). | |
| CVE-2026-33461 | Hig | 0.50 | 7.7 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | |
| CVE-2017-8452 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2017 | Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | |
| CVE-2026-33459 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | |
| CVE-2017-8443 | Med | 0.42 | 6.5 | 0.00 | Jun 30, 2017 | In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. | |
| CVE-2026-33458 | Med | 0.41 | 6.3 | 0.00 | Apr 8, 2026 | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | |
| CVE-2017-11482 | Med | 0.40 | 6.1 | 0.00 | Dec 8, 2017 | The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | |
| CVE-2017-11481 | Med | 0.40 | 6.1 | 0.00 | Dec 8, 2017 | Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |
| CVE-2017-11479 | Med | 0.40 | 6.1 | 0.00 | Sep 29, 2017 | Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |
| CVE-2017-8451 | Med | 0.40 | 6.1 | 0.00 | Jun 16, 2017 | With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | |
| CVE-2016-10366 | Med | 0.40 | 6.1 | 0.00 | Jun 16, 2017 | Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. | |
| CVE-2016-10365 | Med | 0.40 | 6.1 | 0.00 | Jun 16, 2017 | Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. | |
| CVE-2016-1000220 | Med | 0.40 | 6.1 | 0.00 | Jun 16, 2017 | Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | |
| CVE-2015-9056 | Med | 0.40 | 6.1 | 0.00 | Jun 16, 2017 | Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. | |
| CVE-2017-8440 | Med | 0.40 | 6.1 | 0.00 | Jun 5, 2017 | Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |
| CVE-2017-8439 | Med | 0.40 | 6.1 | 0.00 | Jun 5, 2017 | Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. | |
| CVE-2025-37728 | Med | 0.35 | 5.4 | 0.00 | Oct 7, 2025 | Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | |
| CVE-2026-33460 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | |
| CVE-2019-7609 | 0.16 | — | 0.94 | KEV | Mar 25, 2019 | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | |
| CVE-2020-7012 | 0.09 | — | 0.73 | Jun 3, 2020 | Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. |