Elastic Elastic Elastic

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Elastic product.

RSS Feeds for Elastic security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Elastic products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Elastic Sorted by Most Security Vulnerabilities since 2018

Elastic Kibana118 vulnerabilities

Elasticsearch51 vulnerabilities

Elastic Cloud Enterprise9 vulnerabilities

Elastic Logstash7 vulnerabilities

Elastic Enterprise Search5 vulnerabilities

Elastic Apm Server4 vulnerabilities

Elastic Endpoint Security3 vulnerabilities

Elastic Endgame2 vulnerabilities

Known Exploited Elastic Vulnerabilities

The following Elastic vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands.
CVE-2015-1427 Exploit Probability: 99.9%
March 25, 2022
Elasticsearch Remote Code Execution Vulnerability Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.
CVE-2014-3120 Exploit Probability: 88.6%
March 25, 2022
Kibana Arbitrary Code Execution Kibana contain an arbitrary code execution flaw in the Timelion visualizer.
CVE-2019-7609 Exploit Probability: 95.3%
January 10, 2022

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 42 vulnerabilities in Elastic with an average score of 6.4 out of ten. Last year, in 2025 Elastic had 41 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.35




Year Vulnerabilities Average Score
2026 42 6.37
2025 41 6.72
2024 19 6.44
2023 31 6.95
2022 11 5.66
2021 21 5.76
2020 13 6.10
2019 14 8.38
2018 20 7.11

It may take a day or so for new Elastic vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Elastic Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-49091 Jul 01, 2026
Log Injection Vulnerability (CWE-117) in Kibana (Elastic) Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.
Kibana
CVE-2026-49090 Jul 01, 2026
Uncontrolled Resource Consumption in Elasticsearch Bulk Request Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.
Elasticsearch
CVE-2026-49088 Jul 01, 2026
Kibana APM Logs Leak Sensitive Headers via Log Injection (CWE-532) Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.
Kibana
CVE-2026-49087 Jul 01, 2026
Kibana DoS via Excessive Bulk Deletion Resource Exhaustion Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.
Kibana
CVE-2026-56152 Jul 01, 2026
CVE-2026-56152: Elastic Defend Unauthorized Disclosure via ACL Bypass Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.
CVE-2026-56151 Jul 01, 2026
Kibana Improper Input Validation Allows Authenticated DoS Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable.
Kibana
CVE-2026-56150 Jul 01, 2026
Elastic Fleet Server Excessive Alloc Leading to DoS Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.
CVE-2026-56149 Jul 01, 2026
Elasticsearch ML Request DOS via CVE-2026-56149 (CWE-770) Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.
Elasticsearch
CVE-2026-56148 Jul 01, 2026
Elasticsearch Uncontrolled Recursion CVE-2026-56148 (Denial of Service) Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
Elasticsearch
CVE-2026-49093 May 28, 2026
Kibana SSRF Allowlist Bypass via Connector Permissions Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
Kibana
CVE-2026-49094 May 28, 2026
Kibana CVE-2026-49094: Auth Viewer DoS via Oversized Input Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.
Kibana
CVE-2026-49095 May 28, 2026
Kibana Fleet Policy Injection Privilege Escalation Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
Kibana
CVE-2026-42398 May 28, 2026
Kibana SSRF Auth Users Bypass Egress Allowlist via Webhook Connector Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Kibana
CVE-2026-42399 May 28, 2026
Kibana Uncontrolled Resource Consumption via Crafty Timelion Expr (CAPEC-130) Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
Kibana
CVE-2026-42400 May 28, 2026
Kibana Resource Exhaustion via Authenticated Compressed Payload Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.
Kibana
CVE-2026-42401 May 28, 2026
Kibana Stored XSS via Unsanitized Index Data (CWE79) Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
Kibana
CVE-2026-33463 May 28, 2026
Kibana Token Bypass: Post-Expiration Access (CVE-2026-33463) Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.
Kibana
CVE-2026-33464 May 28, 2026
Kibana Uncontrolled Resource Consumption via Oversized Payload (CVE-2026-33464) Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
Kibana
CVE-2026-33462 May 28, 2026
Kibana Dashboard PKG Path Traversal Allows Admin Deletion of Arbitrary Accounts A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
Kibana
CVE-2026-33467 Apr 28, 2026
Elastic Package Registry Improper Signature Verification (CWE-347) Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
CVE-2026-33466 Apr 08, 2026
Logstash Archive Path Traversal Enables RCE Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Logstash
CVE-2026-33458 Apr 08, 2026
SSRF in Kibana One Workflow allows internal endpoint disclosure Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Kibana
CVE-2026-33459 Apr 08, 2026
Kibana Authenticated DoS via Excessive Allocation in Automatic Import Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Kibana
CVE-2026-33460 Apr 08, 2026
Kibana Auth Bypass via Unscoped Client Leaks Cross-Space Data Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Kibana
CVE-2026-33461 Apr 08, 2026
Kibana Internal API Auth Bypass Exposing Sensitive Config Data Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Kibana
CVE-2026-4498 Apr 08, 2026
CVE-2026-4498: Kibana Fleet Plugin Debug Route Privilege Abuse (CWE-250) Execution with Unnecessary Privileges (CWE-250) in Kibanas Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Kibana
CVE-2026-26940 Mar 19, 2026
Kibana Timelion Plugin DOS via Overly Large Quantity Value Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.
Kibana
CVE-2026-26939 Mar 19, 2026
Auth Bypass in Kibana Rule Management (CVE-2026-26939) Missing Authorization (CWE-862) in Kibanas server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.
Kibana
CVE-2026-26933 Mar 19, 2026
CVE-2026-26933: Packetbeat OOB Read via Malformed Network Packets Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces.
CVE-2026-26931 Mar 19, 2026
Metricbeat Remote_write Handler: Excessive Size Value Causing DoS Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).
CVE-2026-26938 Feb 26, 2026
Elastic Kibana Workflows RCE via ServerSide Template Injection Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.
Kibana
CVE-2026-26937 Feb 26, 2026
Kibana Timelion Uncontrolled Res. Consumption (CWE-400) Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
Kibana
CVE-2026-26936 Feb 26, 2026
Kibana AI Inference Engine DoS via Regex Blowup Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
Kibana
CVE-2026-26935 Feb 26, 2026
Kibana DS via Improper Input Validation in Content Connectors Search Endpoint Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
Kibana
CVE-2026-26934 Feb 26, 2026
Kibana DoS via Improper Quantity Validation Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.
Kibana
CVE-2026-26932 Feb 26, 2026
Packetbeat GO: Array Index Validation Flaw Enables DoS via Packet Poisoning Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.
CVE-2026-0532 Jan 14, 2026
Elastic Security: External Path & SSRF File Disclosure External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
Kibana
CVE-2026-0529 Jan 14, 2026
Packetbeats MongoDB Protocol Parser Array Index Validation Bypass Improper Validation of Array Index (CWE-129) in Packetbeats MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled.
CVE-2026-0543 Jan 13, 2026
Kibana Email Connector CVE-2026-0543: Improper Input Validation (CWE-20) Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
Kibana
CVE-2026-0531 Jan 13, 2026
Elastic Kibana Fleet: Memory Exhaustion via Bulk Retrieval (CWE-770) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
Kibana
CVE-2026-0530 Jan 13, 2026
Kibana Fleet Resource Exhaustion via Crafted Request (CVE-2026-0530) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.
Kibana
CVE-2026-0528 Jan 13, 2026
Metricbeat Improper Array Index Validation allowing DoS via Graphite/Zookeeper Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.
CVE-2025-68422 Dec 18, 2025
Kibana Privilege Escalation via AuthBypass HTTP Request (CVE-2025-68422) Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
Kibana
CVE-2025-68386 Dec 18, 2025
Kibana: Improper Auth Enables Global Document Sharing (CWE-285) Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
Kibana
CVE-2025-68390 Dec 18, 2025
Elasticsearch Excessive Memory Allocation via Snapshot Restore (DoS) Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Elasticsearch
CVE-2025-68389 Dec 18, 2025
Kibana Resource Leak: Authenticated DoS via Crafted HTTP (CVE-2025-68389) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
Kibana
CVE-2025-68387 Dec 18, 2025
Vega XSS via Vulnerable AST Evaluator Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
Kibana
CVE-2025-68385 Dec 18, 2025
Vega XSS via Input Neutralization Bypass (CVE-2025-68385) Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
Kibana
CVE-2025-68384 Dec 18, 2025
Elasticsearch OOM DoS: Unrestricted User Settings Allocation Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Elasticsearch
CVE-2025-68383 Dec 18, 2025
Filebeat Syslog/Dissect BUF Overflow via Malformed Msg/Tokenizer Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.