Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.15
- 9.x: All versions from 9.0.0 up to and including 9.3.4
Affected Configurations:
- Kibana deployments that make use of the public file sharing feature to issue time-bounded download links are affected. Deployments that do not issue public share tokens are not impacted.
Solutions and Mitigations:
The issue is resolved in Kibana versions 8.19.16, 9.3.5.
For Users that Cannot Upgrade:
- Revoke any active public file share tokens and avoid issuing new public shares until the upgrade has been applied.
- Where feasible, restrict access to file-sharing functionality to trusted administrators only.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 5.3 ) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2026-33463
Problem Type: CWE-672 - Operation on a Resource after Expiration or Termination