Fleet Server 8.19.15, 9.3.4, 9.4.0 Security Update (ESA-2026-41)

Dependency on Vulnerable Third-Party Component in Fleet Server Leading to Denial of Service

Dependency on Vulnerable Third-Party Component (CWE-1395) exists in the Go standard library used by Fleet Server that could allow a remote attacker to cause denial of service by sending a specially crafted payload that triggers the known vulnerability CVE-2026-32283.

Affected Versions:

  • 8.x: All versions from 8.0.0 up to and including 8.19.14
  • 9.x:
    • All versions from 9.0.0 up to and including 9.3.3

Affected Configurations:

  • All configurations are affected.

Solutions and Mitigations:

The issue is resolved in Fleet Server versions 8.19.15, 9.3.4, and 9.4.0.

For Users that Cannot Upgrade:

Self-Managed

  • Restrict network-level access to Fleet Server to trusted hosts and IP ranges only.

Cloud

  • Elastic Cloud Hosted deployments of Fleet Server are managed by Elastic. Contact Elastic Support if you require immediate assistance prior to the fix being applied.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Severity: CVSSv3.1: High ( 7.5 ) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-32283
Problem Type: CWE-1395 - Dependency on Vulnerable Third-Party Component