Kibana 8.19.17, 9.3.6, 9.4.3 Security Update (ESA-2026-45)

Improper Input Validation in Kibana Leading to Denial of Service

Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable.

Affected Versions:

  • 8.x: All versions from 8.0.0 up to and including 8.19.16
  • 9.x:
    • All versions from 9.0.0 up to and including 9.3.5
    • All versions from 9.4.0 up to and including 9.4.2

Affected Configurations:

  • Affects deployments that use Fleet. Exploitation requires an authenticated account with privileges to manage Fleet policies.

Solutions and Mitigations:

The issue is resolved in version 8.19.17, 9.3.6, and 9.4.3.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-56151
Problem Type: CWE-20 - Improper Input Validation
Impact: CAPEC-153 - Input Data Manipulation