Elastic has released critical security updates to address four notable vulnerabilities across its platform, including one high-severity flaw that could allow attackers to access arbitrary files through compromised connector configurations. These issues primarily affect Kibana and several of its built-in components.
The patched vulnerabilities span multiple risk areas, including unsafe file handling, insufficient input validation, and uncontrolled resource allocation. If left unaddressed, these flaws could be abused to expose sensitive data, disrupt services, or degrade system availability.
Vulnerabilities Addressed
| CVE ID | Description | CVSS | Severity | Affected Versions |
|---|---|---|---|---|
| CVE-2026-0532 | External Control of File Name or Path (CWE-73) and Server-Side Request Forgery (CWE-918) | 8.6 | High | 8.15.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 |
| CVE-2026-0543 | Improper Input Validation (CWE-20) in Email Connector | 6.5 | Medium | All 7.x, up to 8.19.9, up to 9.2.3 |
| CVE-2026-0531 | Allocation of Resources Without Limits (CWE-770) in Fleet | 6.5 | Medium | 7.10.0–7.17.29, up to 8.19.9, up to 9.2.3 |
| CVE-2026-0530 | Allocation of Resources Without Limits (CWE-770) in Fleet | 6.5 | Medium | Same as above |
Vulnerability Details
CVE-2026-0532 — Arbitrary File Access and SSRF (High)
This high-severity vulnerability stems from inadequate validation of JSON credentials used in the Google Gemini connector configuration. An authenticated user with permissions to create or modify connectors could craft malicious configuration values that cause Kibana to behave in unintended ways.
Exploitation could allow an attacker to trigger unauthorized internal network requests or read arbitrary files from the underlying server. In practical terms, this could expose configuration files, credentials, or other sensitive system data. Because the issue combines server-side request forgery with path manipulation, it significantly increases the risk of internal network abuse and data leakage. The vulnerability carries a CVSS score of 8.6 and affects multiple Kibana releases from version 8.15.0 through 9.2.3.
CVE-2026-0543 — Email Connector Denial of Service (Medium)
This issue affects Kibana’s Email Connector and is caused by improper input validation of email address parameters. An attacker with permission to execute connectors can submit malformed inputs that trigger excessive memory consumption.
As a result, the Kibana service may become unresponsive or crash entirely, requiring a manual restart to recover. While the vulnerability is rated medium severity, it affects a wide range of versions, including all 7.x releases and early 8.x and 9.x branches, making it relevant for many deployments.
CVE-2026-0531 and CVE-2026-0530 — Fleet Resource Exhaustion (Medium)
Two separate but related vulnerabilities were identified in Fleet, Kibana’s agent management component. These flaws allow authenticated users with low privileges to trigger unbounded database operations through specially crafted bulk retrieval requests.
Successful exploitation can lead to memory exhaustion, degraded performance, and service instability, effectively causing a denial-of-service condition. Both vulnerabilities carry a CVSS score of 6.5 and impact the same version ranges as the other issues. At the time of disclosure, no effective workarounds were available.
Recommended Actions
Elastic strongly advises users to upgrade to the latest patched versions as soon as possible. For environments where immediate upgrades are not feasible, organizations should take additional steps to reduce exposure. These include restricting connector permissions to trusted users only, implementing network segmentation, and limiting access from untrusted networks.
Elastic has also indicated that Elastic Cloud Serverless deployments were patched automatically prior to public disclosure, reducing risk for customers using that service.
