Elastic Stack Patches High-Severity Kibana SSRF/File Disclosure and Elasticsearch LZ4 Information Disclosure
Elastic issued security updates for Elasticsearch and Kibana (8.19.10, 9.1.10, 9.2.4) to address multiple vulnerabilities, including two high-severity issues with significant data-exposure risk. In Kibana, CVE-2026-0532 (CVSS 8.6) affects the Google Gemini connector and combines SSRF with external control of file name/path to enable arbitrary file disclosure and arbitrary outbound network requests via a specially crafted credentials JSON payload; exploitation requires authenticated access with privileges to create or modify connectors.
Elasticsearch addressed an information disclosure flaw in the yawkat LZ4 Java decompressor (CVE-2025-66566) that can leak prior buffer contents when an attacker sends specially crafted compressed input over the transport layer; affected versions span 7.14.0–7.17.29, 8.0.0–8.19.9, and 9.0.0–9.2.3. Elastic recommended upgrading to the fixed releases and provided mitigations for those unable to patch immediately, including switching transport.compression_scheme to deflate or disabling transport compression (transport.compress: false), while Kibana users can mitigate by disabling the vulnerable connector type via xpack.actions.enabledActionTypes configuration; Elastic Cloud Serverless was reported as remediated prior to public disclosure.
Timeline
Jan 13, 2026
Elastic discloses seven Elastic Stack vulnerabilities and urges patching
Elastic released updates addressing seven vulnerabilities across Elasticsearch, Kibana, Packetbeat, and Metricbeat, including a high-severity SSRF and arbitrary file disclosure issue in the Google Gemini connector and an information disclosure flaw in the yawkat LZ4 Java library. Elastic said versions 8.19.10, 9.1.10, and 9.2.4 resolve the issues and recommended immediate upgrades, with mitigations for the Elasticsearch transport-compression issue including switching to deflate or disabling compression.
Jan 13, 2026
Elastic releases security updates for Elasticsearch and Kibana
Elastic published security advisories ESA-2026-05 and ESA-2026-07 announcing security updates for Kibana and Elasticsearch. The fixed versions listed were 8.19.10, 9.1.10, and 9.2.4.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Elastic Releases Kibana 8.19.14, 9.2.8, and 9.3.3 for Security Fixes
Elastic published two security advisories, **ESA-2026-24** and **ESA-2026-25**, covering Kibana and directing users to upgrade to versions **8.19.14**, **9.2.8**, and **9.3.3**. The advisories were issued through Elastic's product security announcement channel and indicate that multiple supported Kibana release lines received coordinated security updates. The available references do not include technical synopses, affected components, or vulnerability identifiers, but they show that Elastic shipped patched Kibana releases across the 8.x and 9.x branches at the same time. Organizations running Kibana on impacted versions should review both advisories and prioritize upgrading to the listed releases to address the security issues covered by the updates.
4 weeks ago
Kibana Workflows Template Injection Enables SSRF and Arbitrary File Read (CVE-2026-26938)
Elastic disclosed **CVE-2026-26938**, a **high-severity (CVSS 8.6)** issue in *Kibana* **Workflows** caused by **improper neutralization of special elements in a template engine (CWE-1336)**. The flaw can enable **code injection (CAPEC-242)** that allows **server-side request forgery (SSRF)** and **arbitrary file read** from the Kibana server filesystem when the vulnerable workflow execution path is reached. The issue is fixed in **Kibana 9.3.1** (ESA-2026-17). Exploitation requires an authenticated user with the `workflowsManagement:executeWorkflow` privilege; the Workflows feature is **off by default** (technical preview in 9.3.0) and must be explicitly enabled in Advanced Settings, reducing exposure in default deployments. For organizations that cannot immediately upgrade, Elastic recommends **disabling Workflows**; Elastic also noted its *Elastic Cloud Serverless* offering was remediated prior to public disclosure under its continuous patching model.
4 weeks ago
Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
1 months ago