CVE-2026-33462
HIGH WAF: High
CVSS 7.3
Published: 2026-05-28
CWE-22
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| elastic | kibana | 8.0.0 - 8.19.16 |
| elastic | kibana | 9.0.0 - 9.3.5 |
References
- discuss.elastic.co (Vendor Advisory)