QSearchQSearch

CVE-2026-33462

4.6 MEDIUM

A path traversal vulnerability was identified in Kibana's dashboard management functionality

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS
4.6 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CWE
CWE-22

Affected products

VendorProduct
elastickibana

Description

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-49095 Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation (6.5 MEDIUM)
  • CVE-2026-49094 Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
  • CVE-2026-49093 Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operat... (6.3 MEDIUM)
  • CVE-2026-42400 Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
  • CVE-2026-42399 Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)

Same CWE

  • CVE-2026-49766 Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
  • CVE-2026-49061 Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
  • CVE-2026-40779 Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)
  • CVE-2026-40769 Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field <= 1... (8.6 HIGH)
  • CVE-2026-40727 Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions (7.7 HIGH)