Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN239 _____________________________________________________________________ DATE : 27/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kibana versions prior to 9.3.1, 8.19.12, 9.2.6. ===================================================================== https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253 https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251 https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/385250 https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249 https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-12/385248 _____________________________________________________________________ Kibana 9.3.1 Security Update (ESA-2026-17) ismisepaul (Paul) February 26, 2026, 4:55pm 1 Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF) Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege. Affected Versions: 9.x: Version 9.3.0 Affected Configurations: The workflows feature is turned off by default, as its in technical preview in version 9.3.0. The feature needs to be specifically enabled within Advanced Settings. Solutions and Mitigations: The issue is resolved in version 9.3.1. For Users that Cannot Upgrade: Disable workflows https://www.elastic.co/docs/explore-analyze/workflows/setup Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 8.6 ) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-26938 Problem Type: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine Impact: CAPEC-242 - Code Injection _____________________________________________________________________ Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-15) Announcements Security Announcements ismisepaul (Paul) February 26, 2026, 4:54pm 1 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: Timelion is a legacy visualization feature that is available by default in Kibana installations. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: Self Managed Customers who do not use Timelion visualizations can disable the plugin by adding the following to kibana.yml vis_type_timelion.enabled: false Cloud Disabling this plugin in Elastic Cloud Hosted environments is not possible. Customers on Elastic Cloud Hosted should prioritize upgrading to a patched version. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26937 Problem Type: CWE-400 - Uncontrolled Resource Consumption Impact: CAPEC-153 - Input Data Manipulation _____________________________________________________________________ Kibana 8.19.11, 9.2.5 Security Update (ESA-2026-14) Announcements Security Announcements ismisepaul (Paul) February 26, 2026, 4:53pm 1 Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492). Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.10 9.x: All versions from 9.0.0 up to and including 9.2.4 Affected Configurations: The Elastic AI Assistant for Security is not enabled by default in Kibana. Users must explicitly configure an AI connector (e.g., OpenAI, Amazon Bedrock, or Elastic Managed LLM) and enable the AI Assistant feature from the GenAI Settings page. Solutions and Mitigations: The issue is resolved in version 8.19.11, 9.2.5. For Users that Cannot Upgrade: If the AI Assistant has been enabled with custom anonymization rules: Disable Custom Anonymization Rules: Navigate to Security AI settings → Anonymization tab in Kibana and disable all custom anonymization rules. This prevents the vulnerable regex processing pipeline from executing. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.9 ) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26936 Problem Type: CWE-1333 - Inefficient Regular Expression Complexity Impact: CAPEC-492 - Regular Expression Exponential Blowup _____________________________________________________________________ Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-13) Announcements Security Announcements ismisepaul (Paul) February 26, 2026, 4:53pm 1 Improper Input Validation in Kibana Leading to Denial of Service Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) Affected Versions: 8.x: All versions from 8.4.0 up to and including 8.19.11 9.x: All versions from 9.0.0 up to and including 9.2.5 Version 9.3.0 Affected Configurations: Users that have not configured Content Connectors are not affected by this vulnerability, as the vulnerable endpoint is only accessible when connectors exist in the deployment. Solutions and Mitigations: The issue is resolved in version 8.19.12, 9.2.6, 9.3.1. For Users that Cannot Upgrade: Restrict Access to Content Connectors: Modify user roles to remove access to the Content Connectors feature for users who do not require it. This can be accomplished by: Creating custom roles that exclude Kibana privileges for Content Connectors Removing the viewer role from users who do not need Content Connectors access Implementing more granular feature-level privileges Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) -CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26935 Problem Type: CWE-20 - Improper Input Validation Impact: CAPEC-153 - Input Data Manipulation _____________________________________________________________________ Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12) Announcements Security Announcements ismisepaul (Paul) February 26, 2026, 4:52pm 1 Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing. Affected Versions: 8.x: All versions from 8.18.0 up to and including 8.19.11 9.x: All versions from 9.0.0 up to and including 9.2.5 Version 9.3.0 Affected Configurations: Index Management is enabled by default in Kibana and does not require specific configuration to be active. This vulnerability requires authentication. The attacker must have valid Kibana credentials where access with view-only privileges (such as the built-in viewer role) can cause the crash. Solutions and Mitigations: The issue is resolved in version 8.19.12, 9.2.6, 9.3.1. For Users that Cannot Upgrade: The most effective mitigation is to apply the security patch as soon as possible. In the interim, customers could: Monitor Kibana server resource utilization closely Restrict authenticated access to Kibana to trusted users only Consider implementing application-layer request size limits if feasible in their environment Indicators of Compromise (IOC) Search for POST requests with unusually large request body sizes (e.g., greater than 100KB). Monitor for sudden spikes in Kibana server CPU utilization, memory consumption, or unresponsiveness coinciding with requests to the enrich policies endpoint. Check system logs for Kibana process crashes or restarts that correlate with suspicious API requests. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-26934 Problem Type: CWE-1284 - Improper Validation of Specified Quantity in Input Impact: CAPEC-153 - Input Data Manipulation ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================