Elastic has released urgent security patches addressing four significant vulnerabilities in Kibana that could enable attackers to steal sensitive files, trigger service outages, and exhaust system resources.
The advisories, published on January 14, 2026, affect multiple Kibana versions spanning from 7.x through 9.2.3.
Critical File Disclosure and SSRF Vulnerability
The most severe flaw, CVE-2026-0532, has a CVSS score of 8.6 and combines external file path control with server-side request forgery.
The vulnerability resides in Kibana’s Google Gemini connector, allowing authenticated attackers with connector management privileges to craft malicious JSON payloads that can steal credentials.
| CVE ID | CVSS Score | Severity | Vulnerability Type |
|---|---|---|---|
| CVE-2026-0532 | 8.6 | High | SSRF & File Disclosure (CWE-918, CWE-73) |
| CVE-2026-0543 | 6.5 | Medium | Improper Input Validation (CWE-20) |
| CVE-2026-0531 | 6.5 | Medium | Uncontrolled Resource Allocation (CWE-770) |
| CVE-2026-0530 | 6.5 | Medium | Uncontrolled Resource Allocation (CWE-770) |
By exploiting improper validation, threat actors can trigger arbitrary network requests and read sensitive files directly from affected systems, potentially exposing configuration files, credentials, and application data.
Three medium-severity vulnerabilities (CVE-2026-0530, CVE-2026-0531, and CVE-2026-0543) introduce denial-of-service conditions via resource exhaustion.
CVE-2026-0530 and CVE-2026-0531 stem from uncontrolled resource allocation in Kibana Fleet, permitting low-privilege viewers to craft specially formatted bulk retrieval requests that trigger redundant database operations.
These operations consume memory until the server crashes. Similarly, CVE-2026-0543 affects the Email Connector, where improper input validation on email address parameters results in excessive resource consumption and complete service unavailability.
The affected vulnerability chain indicates that organizations running unpatched Kibana installations face immediate exploitation risks.
Elastic recommends urgent upgrades to version 8.19.10, 9.1.10, or 9.2.4, depending on the deployment branch.
For organizations unable to upgrade immediately, Elastic provides limited mitigation options, including turning off specific connector types through the xpack.actions.enabledActionTypes configuration parameter.
Notably, Elastic Cloud Serverless deployments received patches through continuous deployment models before public disclosure, shielding cloud-native users from exposure.
Organizations should prioritize patching efforts based on their deployment architecture and exposure level, with particular attention to systems accessible from untrusted networks or shared multi-tenant environments where authenticated users may execute connector operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.