Elastic Security has disclosed critical vulnerabilities affecting Kibana that could enable attackers to execute Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) attacks against vulnerable deployments.
The vulnerabilities stem from inadequate origin validation in the Observability AI Assistant component.
The primary vulnerability, tracked as CVE-2025-37734 under Elastic Security Advisory ESA-2025-24, involves an origin validation error in Kibana.
This flaw allows attackers to forge Origin HTTP headers, bypassing security controls designed to prevent unauthorized requests from external sources.
By exploiting this weakness, malicious actors can craft requests that trick Kibana into sending requests to unintended destinations or executing unintended actions.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-37734 |
| Vulnerability Type | Origin Validation Error (SSRF) |
| CVSS Score | 4.3 (Medium) |
| Attack Vector | Network |
| Affected Versions | 8.12.0-8.19.6, 9.1.0-9.1.6, 9.2.0 |
| Patch Versions | 8.19.7, 9.1.7, 9.2.1 |
The SSRF vulnerability enables attackers to access internal network resources or services that should remain isolated from external access.
This can lead to information disclosure, lateral movement within networks, or further exploitation of backend systems.
The vulnerability affects multiple Kibana versions, making it a widespread concern for organizations running affected deployments.
Elastic researchers report that the vulnerability only affects deployments actively using the Observability AI Assistant feature. The vulnerability impacts: Kibana 8.12.0 through 8.19.6, Kibana 9.1.0 through 9.1.6, and Kibana 9.2.0.
Organizations without this component enabled are not affected by this flaw, which has a medium severity rating (CVSS v3.1 score of 4.3).
While this may seem moderate, the impact should not be underestimated given the potential for unauthorized internal network access and data manipulation.
Elastic has released patched versions addressing this vulnerability. Organizations should immediately upgrade to: Kibana 8.19.7, Kibana 9.1.7, and Kibana 9.2.1.
Elastic Cloud Serverless customers are already protected, as continuous deployment and patching models remediated this vulnerability before public disclosure.
Organizations unable to upgrade immediately should consider turning off the Observability AI Assistant feature until patches can be applied.
Additionally, implementing network segmentation and access controls can help limit the potential impact of SSRF exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
