Elasticsearch
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Elasticsearch product.
RSS Feeds for Elasticsearch security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Elasticsearch products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Elasticsearch Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Elasticsearch. Elasticsearch did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 5 | 6.58 |
| 2019 | 2 | 5.15 |
| 2018 | 1 | 6.10 |
It may take a day or so for new Elasticsearch vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elasticsearch Security Vulnerabilities
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion
CVE-2020-7016
4.8 - Medium
- July 27, 2020
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
Resource Exhaustion
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw
CVE-2020-7017
6.7 - Medium
- July 27, 2020
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.
XSS
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant
CVE-2020-7012
8.8 - High
- June 03, 2020
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Code Injection
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB
CVE-2020-7013
7.2 - High
- June 03, 2020
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Code Injection
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization
CVE-2020-7015
5.4 - Medium
- June 03, 2020
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
XSS
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations
CVE-2019-7621
5.4 - Medium
- December 18, 2019
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser.
XSS
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer
CVE-2019-7616
4.9 - Medium
- July 30, 2019
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
SSRF
The fix in Kibana for ESA-2017-23 was incomplete
CVE-2018-3819
6.1 - Medium
- March 30, 2018
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Open Redirect
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion
CVE-2017-11479
6.1 - Medium
- September 29, 2017
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1
CVE-2015-8131
- December 07, 2015
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Session Riding