Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.15
- 9.x: All versions from 9.0.0 up to and including 9.3.4
Affected Configurations:
- Kibana instances where untrusted users hold dashboard creation permissions and administrators perform dashboard deletion operations.
Solutions and Mitigations:
The issue is resolved in Kibana version 8.19.16 and 9.3.5.
For Users that Cannot Upgrade:
- Restrict dashboard creation permissions to trusted users only. Limit the Analytics > Dashboard > All permission to authorized personnel to reduce the risk of a malicious dashboard object being created.
Indicators of Compromise (IOC)
Administrators can review Kibana audit logs for dashboard deletion events that correspond to unexpected security-sensitive operations. Dashboard identifiers containing path traversal sequences may indicate attempted exploitation.
- Review Kibana audit logs for deletion requests redirected to unexpected internal endpoints.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 4.6 ) -CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CVE ID: CVE-2026-33462
Problem Type: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')