Kibana 8.16.3, 8.17.2 Security Update (ESA-2026-51)

Authorization Bypass Through User-Controlled Key in Kibana Leading to Unauthorized Data Modification

Authorization Bypass Through User-Controlled Key (CWE-639) in Kibana can lead to unauthorized data modification via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, an authenticated user could reference another user's AI Assistant conversation identifier to access or modify a conversation they do not own. Successful exploitation requires knowledge of a hard-to-guess identifier.

Affected Versions:

  • 8.x:
    • All versions from 8.0.0 up to and including 8.16.2
    • All versions from 8.17.0 up to and including 8.17.1

Affected Configurations:

  • Affects deployments that use the AI Assistant. Exploitation requires an authenticated account with access to the AI Assistant.

Solutions and Mitigations:

The issue is resolved in version 8.16.3 and 8.17.2.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 4.2 ) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE ID: CVE-2026-49089
Problem Type: CWE-639 - Authorization Bypass Through User-Controlled Key
Impact: CAPEC-1 - Accessing Functionality Not Properly Constrained by ACLs