Elastic — Vulnerabilities & Security Advisories 223

Browse all 223 CVE security advisories affecting Elastic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Elastic operates as a search and analytics engine, primarily powering the ELK Stack for log management and data visualization. With 223 recorded Common Vulnerabilities and Exposures, the platform has historically been susceptible to critical flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation and authentication bypasses within its Java-based architecture. Notable incidents involve unauthorized access to sensitive data through exposed APIs, highlighting risks associated with default configurations. The sheer volume of CVEs suggests persistent challenges in securing complex distributed systems. While the software remains a cornerstone for enterprise search, its extensive attack surface requires rigorous patching and strict access controls to mitigate the high probability of exploitation by threat actors targeting its widespread deployment infrastructure.

CVEs 223

CVE ID	Title	CVSS	Severity	Published
CVE-2026-33467	Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass — Elastic Package RegistryCWE-347	5.9	Medium	2026-04-28
CVE-2026-33466	Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write — LogstashCWE-22	8.1	High	2026-04-08
CVE-2026-33458	Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure — KibanaCWE-918	6.8	Medium	2026-04-08
CVE-2026-33459	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service — KibanaCWE-400	6.5	Medium	2026-04-08
CVE-2026-33460	Incorrect Authorization in Kibana Fleet Leading to Information Disclosure — KibanaCWE-863	4.3	Medium	2026-04-08
CVE-2026-33461	Incorrect Authorization in Kibana Fleet Leading to Information Disclosure — KibanaCWE-863	7.7	High	2026-04-08
CVE-2026-4498	Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope — KibanaCWE-250	7.7	High	2026-04-08
CVE-2026-26940	Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service — KibanaCWE-1284	6.5	Medium	2026-03-19
CVE-2026-26939	Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration — KibanaCWE-862	6.5	Medium	2026-03-19
CVE-2026-26933	Improper Validation of Array Index in Packetbeat Leading to Denial of Service — PacketbeatCWE-129	5.7	Medium	2026-03-19
CVE-2026-26931	Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service — MetricbeatCWE-789	5.7	Medium	2026-03-19
CVE-2026-26938	Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF) — KibanaCWE-1336	8.6	High	2026-02-26
CVE-2026-26937	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service — KibanaCWE-400	6.5	Medium	2026-02-26
CVE-2026-26936	Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service — KibanaCWE-1333	4.9	Medium	2026-02-26
CVE-2026-26935	Improper Input Validation in Kibana Leading to Denial of Service — KibanaCWE-20	6.5	Medium	2026-02-26
CVE-2026-26934	Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service — KibanaCWE-1284	6.5	Medium	2026-02-26
CVE-2026-26932	Improper Validation of Array Index in Packetbeat Leading to Denial of Service — PacketbeatCWE-129	5.7	Medium	2026-02-26
CVE-2026-0532	External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector — KibanaCWE-918	8.6	High	2026-01-14
CVE-2026-0529	Improper Validation of Array Index in Packetbeat Leading to Overflow Buffers — PacketbeatCWE-129	6.5	Medium	2026-01-14
CVE-2026-0543	Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation — KibanaCWE-20	6.5	Medium	2026-01-13
CVE-2026-0531	Allocation of Resources Without Limits or Throttling in Kibana Fleet — KibanaCWE-770	6.5	Medium	2026-01-13
CVE-2026-0530	Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation — KibanaCWE-770	6.5	Medium	2026-01-13
CVE-2026-0528	Improper Input Validation in Metricbeat Leading to Denial of Service — MetricbeatCWE-129	6.5	Medium	2026-01-13
CVE-2025-68422	Kibana Improper Authorization — KibanaCWE-863	4.3	Medium	2025-12-18
CVE-2025-68386	Kibana Improper Authorization — KibanaCWE-863	4.3	Medium	2025-12-18
CVE-2025-68390	Elasticsearch Allocation of Resources Without Limits or Throttling — ElasticsearchCWE-770	4.9	Medium	2025-12-18
CVE-2025-68389	Kibana Allocation of Resources Without Limits or Throttling — KibanaCWE-770	6.5	Medium	2025-12-18
CVE-2025-68387	Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') — KibanaCWE-79	6.1	Medium	2025-12-18
CVE-2025-68385	Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') — KibanaCWE-79	7.2	High	2025-12-18
CVE-2025-68384	Elasticsearch Allocation of Resources Without Limits or Throttling — ElasticsearchCWE-770	6.5	Medium	2025-12-18

This page lists every published CVE security advisory associated with Elastic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Elastic — Vulnerabilities & Security Advisories 223