PatchSiren cyber security CVE debrief
CVE-2026-33462 Elastic CVE debrief
A path traversal vulnerability in Kibana's dashboard management functionality allows an authenticated low-privilege user to craft a malicious dashboard identifier. When an administrator subsequently deletes this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially causing unauthorized deletion of user accounts or other resources. The attack requires social engineering or waiting for an administrator to perform the delete action. The vulnerability was disclosed by Elastic on May 28, 2026, with fixes released in Kibana versions 8.19.16 and 9.3.5.
- Vendor
- Elastic
- Product
- Kibana
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Kibana versions prior to 8.19.16 or 9.3.5 with multi-user deployments where low-privilege users can create dashboards and administrators routinely manage dashboard lifecycle. Security teams should prioritize patching and audit recent dashboard deletions for anomalous outcomes.
Technical summary
The vulnerability exists in Kibana's dashboard management functionality where insufficient input validation on dashboard identifiers allows path traversal sequences to be embedded. When an administrator attempts to delete a dashboard containing a crafted identifier, the application fails to properly sanitize or validate the identifier before constructing the deletion request, resulting in redirection to unintended internal endpoints. This can trigger operations beyond the intended dashboard deletion scope, such as user account deletion. The attack chain requires two distinct actors: a low-privilege attacker to plant the malicious object, and a privileged administrator to trigger the vulnerable code path through normal UI interaction.
Defensive priority
medium
Recommended defensive actions
- Upgrade Kibana to version 8.19.16 or 9.3.5 or later to address this vulnerability
- Review dashboard deletion audit logs for suspicious activity involving unexpected resource deletion
- Implement principle of least privilege for Kibana user accounts, limiting dashboard creation permissions where possible
- Monitor for unusual API endpoint access patterns following dashboard deletion operations
- Verify backup and recovery procedures for user accounts and critical resources are functional
Evidence notes
The vulnerability description indicates exploitation requires: (1) an authenticated user with limited permissions to create a specially crafted dashboard identifier, and (2) an administrator to subsequently delete that dashboard. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L) confirms network attack vector, low attack complexity, low privileges required, user interaction required, unchanged scope, with low impact to integrity and availability. CWE-22 (Path Traversal) is identified as the weakness type.
Official resources
-
CVE-2026-33462 CVE record
CVE.org
-
CVE-2026-33462 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Elastic disclosed this vulnerability on May 28, 2026, via their security advisory ESA-2026-30. The issue affects Kibana and was resolved in versions 8.19.16 and 9.3.5.