CVE-2026-33462 - Vulnerability Details

- Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

Description

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.

Published: 2026-05-28

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw in Kibana’s dashboard management allows an authenticated user with limited permissions to create a dashboard that references an arbitrary internal endpoint. When an administrator later attempts to delete that dashboard, the request is redirected, enabling the attacker to delete user accounts or other protected resources. The weakness leads to integrity loss, potentially causing loss of user accounts and disruption of service. The flaw is a classic case of CWE‑22 path traversal.

Affected Systems

Elastic Kibana systems where dashboard management is enabled are affected; the CVE data does not specify a particular major or minor release, indicating that any Kibana instance could be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 4.6 suggests moderate severity, and no EPSS score is available, so exploitation probability cannot be precisely quantified. The flaw requires an authenticated administrator to perform a delete action on the malicious dashboard, making exploitation less likely in environments with strict admin controls. The vulnerability is not listed in CISA KEV, and no public exploits are currently documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Kibana

unaffected

Version	Status	Constraints
`9.0.0`	affected	≤ 9.3.4
`8.0.0`	affected	≤ 8.19.15

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

No data.

Vendor Product Confidence Versions

Elastic

Kibana

100%

Version	Status	Scheme	Platform
`[9.0.0,9.3.4]`	affected	semver	—
`[8.0.0,8.19.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest patched version of Kibana from Elastic that resolves the path traversal issue.
Restrict dashboard deletion privileges to only the most trusted administrators or re‑configure permissions so that deletion of dashboards is not allowed for ordinary users.
Enable audit logging and set alerts for unexpected dashboard or user account deletions, and review logs regularly to detect potential abuse.

Generated by OpenCVE AI on May 28, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00223.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545

History

Fri, 29 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elastic:kibana::::::::

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic kibana
Vendors & Products		Elastic Elastic kibana

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
Title		Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts
Weaknesses		CWE-22
References		https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

Elastic Kibana

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-05-28T19:33:38.794Z

Updated: 2026-05-29T14:55:45.872Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33462

Vulnrichment

Updated: 2026-05-29T14:55:42.432Z

NVD

Status : Analyzed

Published: 2026-05-28T20:16:22.773

Modified: 2026-05-29T21:20:41.200

Link: CVE-2026-33462

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T21:00:17Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object