Kibana 8.18.9, 8.19.6, 9.0.8, 9.1.6 Security Update (ESA-2026-50)

Insertion of Sensitive Information into Log File in Kibana Leading to Information Disclosure

Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.

Affected Versions:

  • 8.x:
    • All versions from 8.0.0 up to and including 8.18.8
    • All versions from 8.19.0 up to and including 8.19.5
  • 9.x:
    • All versions from 9.0.0 up to and including 9.0.7
    • All versions from 9.1.0 up to and including 9.1.5
    • (9.2.0 and later not affected)

Affected Configurations:

  • Affects deployments that explicitly enable APM instrumentation. Deployments without APM instrumentation enabled are not affected.

Solutions and Mitigations:

The issue is resolved in version 8.18.9, 8.19.6, 9.0.8, and 9.1.6.

For Users that Cannot Upgrade:

  • Self-Managed: Disable the optional APM instrumentation until the deployment is upgraded.

  • Cloud: This issue was remediated on Elastic-managed infrastructure prior to disclosure; for self-configured Elastic Cloud Hosted deployments, disable the optional APM instrumentation until upgraded.

Indicators of Compromise (IOC)

Inspect application logs for recorded request header values (including Cookie values); their presence indicates exposure.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 4.4 ) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2026-49088
Problem Type: CWE-532 - Insertion of Sensitive Information into Log File