CVE-2026-33463

5.3 MEDIUM

Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-672

Affected products

Vendor	Product
elastic	kibana

Description

Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33463
[Vendor advisory]https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551

Related CVEs

Same vendor

CVE-2026-49095 — Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation (6.5 MEDIUM)
CVE-2026-49094 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
CVE-2026-49093 — Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operat... (6.3 MEDIUM)
CVE-2026-42400 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
CVE-2026-42399 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)

Same CWE

CVE-2026-2379 — On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected beha... (5.9 MEDIUM)
CVE-2026-42791 — Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an e... (3.7 LOW)
CVE-2026-33278 — NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service a... (9.8 CRITICAL)
CVE-2026-32244 — Discourse is an open-source discussion platform (5.3 MEDIUM)
CVE-2026-4053 — Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows a... (3.1 LOW)