Elastic Releases Kibana 8.19.14, 9.2.8, and 9.3.3 for Security Fixes
Elastic published two security advisories, ESA-2026-24 and ESA-2026-25, covering Kibana and directing users to upgrade to versions 8.19.14, 9.2.8, and 9.3.3. The advisories were issued through Elastic's product security announcement channel and indicate that multiple supported Kibana release lines received coordinated security updates.
The available references do not include technical synopses, affected components, or vulnerability identifiers, but they show that Elastic shipped patched Kibana releases across the 8.x and 9.x branches at the same time. Organizations running Kibana on impacted versions should review both advisories and prioritize upgrading to the listed releases to address the security issues covered by the updates.
Timeline
Apr 8, 2026
Elastic publishes Kibana security advisory ESA-2026-25
Elastic published a second Kibana security advisory, ESA-2026-25, also tied to Kibana versions 8.19.14, 9.2.8, and 9.3.3. The reference indicates a distinct advisory but does not include additional vulnerability details.
Apr 8, 2026
Elastic releases Kibana 8.19.14, 9.2.8, and 9.3.3 for ESA-2026-24
Elastic published security advisory ESA-2026-24 for Kibana and announced the availability of Kibana versions 8.19.14, 9.2.8, and 9.3.3. No further technical details are provided in the reference content.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Elastic Stack Patches High-Severity Kibana SSRF/File Disclosure and Elasticsearch LZ4 Information Disclosure
Elastic issued security updates for *Elasticsearch* and *Kibana* (8.19.10, 9.1.10, 9.2.4) to address multiple vulnerabilities, including two high-severity issues with significant data-exposure risk. In Kibana, **CVE-2026-0532** (CVSS 8.6) affects the **Google Gemini connector** and combines *SSRF* with *external control of file name/path* to enable **arbitrary file disclosure** and arbitrary outbound network requests via a specially crafted `credentials` JSON payload; exploitation requires authenticated access with privileges to create or modify connectors. Elasticsearch addressed an **information disclosure** flaw in the **yawkat LZ4 Java** decompressor (**CVE-2025-66566**) that can leak prior buffer contents when an attacker sends specially crafted compressed input over the transport layer; affected versions span 7.14.0–7.17.29, 8.0.0–8.19.9, and 9.0.0–9.2.3. Elastic recommended upgrading to the fixed releases and provided mitigations for those unable to patch immediately, including switching `transport.compression_scheme` to `deflate` or disabling transport compression (`transport.compress: false`), while Kibana users can mitigate by disabling the vulnerable connector type via `xpack.actions.enabledActionTypes` configuration; Elastic Cloud Serverless was reported as remediated prior to public disclosure.
1 months ago
Kibana Workflows Template Injection Enables SSRF and Arbitrary File Read (CVE-2026-26938)
Elastic disclosed **CVE-2026-26938**, a **high-severity (CVSS 8.6)** issue in *Kibana* **Workflows** caused by **improper neutralization of special elements in a template engine (CWE-1336)**. The flaw can enable **code injection (CAPEC-242)** that allows **server-side request forgery (SSRF)** and **arbitrary file read** from the Kibana server filesystem when the vulnerable workflow execution path is reached. The issue is fixed in **Kibana 9.3.1** (ESA-2026-17). Exploitation requires an authenticated user with the `workflowsManagement:executeWorkflow` privilege; the Workflows feature is **off by default** (technical preview in 9.3.0) and must be explicitly enabled in Advanced Settings, reducing exposure in default deployments. For organizations that cannot immediately upgrade, Elastic recommends **disabling Workflows**; Elastic also noted its *Elastic Cloud Serverless* offering was remediated prior to public disclosure under its continuous patching model.
4 weeks ago
Coordinated Vendor Patch Advisories for Enterprise Software and Linux Kernel
The Canadian Centre for Cyber Security issued multiple **alerts and advisories** urging organizations to apply vendor patches for newly disclosed vulnerabilities across widely deployed enterprise platforms, including **Splunk** (Enterprise, Cloud Platform, Universal Forwarder, and *DB Connect* prior to `4.2.0`), **GitHub Enterprise Server** (patched releases `3.19.2`, `3.18.5`, `3.17.11`, `3.16.14`, `3.15.18`, `3.14.23`), **Jenkins** (Weekly `2.550` and prior; LTS `2.541.1` and prior), and **Atlassian** products (**Bamboo**, **Confluence**, and **Crowd** Data Center/Server across multiple versions). The advisories are framed as patch-and-mitigate guidance rather than incident reporting, emphasizing rapid update adoption to reduce exposure. Additional vendor guidance highlighted kernel-level risk and security tooling exposure. **Tenable** released a critical update for **Tenable Security Center** (`6.7.2` and prior) via stand-alone patches, and **Red Hat** published multiple advisories (Feb 9–15) including **Linux kernel** fixes across several RHEL-related offerings (e.g., *Red Hat Enterprise Linux* and *CodeReady Linux Builder*). Separately, F5 tracked a **Linux kernel vulnerability** identified as **CVE-2025-22026** in its product advisory, reinforcing the need to prioritize kernel patching where affected components are present.
1 months ago