CVE-2026-33463 Elastic CVE debrief

Who should care

Organizations running Kibana versions prior to 8.19.16 or 9.3.5 that rely on time-bounded access tokens for content access control. Security teams responsible for authentication and session management in Elastic Stack deployments. Compliance officers monitoring for proper access control enforcement and token lifecycle management.

Technical summary

The vulnerability exists in Kibana's validation logic for time-bounded access tokens. A logic error in expiration timestamp checking allows tokens to remain functional after their designated expiration time. This is an instance of CWE-672, where operations are performed on resources after their intended termination point. The flaw enables an attacker with possession of an expired token to continue accessing associated content without authentication. The attack requires network access but no privileges or user interaction, with low complexity. Impact is limited to confidentiality (low) with no integrity or availability effects.

Defensive priority

medium

Recommended defensive actions

• Upgrade Kibana to version 8.19.16 or 9.3.5 or later to obtain the fix for this token validation vulnerability
• Review access token issuance practices and implement additional monitoring for token usage patterns that may indicate exploitation
• Audit logs for any anomalous access using time-bounded tokens, particularly access occurring outside expected validity windows
• Validate that any custom token handling implementations properly check expiration timestamps before granting access
• Consider implementing additional token revocation mechanisms as defense-in-depth for sensitive deployments

Evidence notes

The vulnerability is categorized as CWE-672 (Operation on a Resource after Expiration or Termination). CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The official Elastic security advisory confirms affected versions and patch availability.

Official resources