Elastic Patches Multiple Vulnerabilities That Enables Arbitrary File Theft and DoS Attacks - CybersecurityNews

Home Cyber Security News Elastic Patches Multiple Vulnerabilities That Enables Arbitrary File Theft and DoS Attacks Elastic has released critical security updates addressing four significant vulnerabilities across its stack, including a high-severity flaw that permits arbitrary file disclosure through compromised connector configurations. The patches resolve issues affecting file handling, input validation, and resource allocation mechanisms in Kibana and related components. The most severe vulnerability combines external file path control with server-side request forgery capabilities, allowing authenticated attackers to extract arbitrary files from affected systems. CVE ID Vulnerability CVSS Score Severity Affected Versions CVE-2026-0532 External Control of File Name or Path (CWE-73) + Server-Side Request Forgery (CWE-918) 8.6 High 8.15.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 CVE-2026-0543 Improper Input Validation (CWE-20) in Email Connector 6.5 Medium 7.x all, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 CVE-2026-0531 Allocation of Resources Without Limits (CWE-770) in Fleet 6.5 Medium 7.10.0–7.17.29, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 CVE-2026-0530 Allocation of Resources Without Limits (CWE-770) in Fleet 6.5 Medium 7.10.0–7.17.29, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 CVE-2026-0532 stems from insufficient validation of credentials JSON payloads when processing them in the Google Gemini connector configuration. An attacker with connector creation or modification privileges can craft malicious configurations to trigger unauthorized network requests and arbitrary file reads. The vulnerability carries a CVSS 3.1 score of 8.6 (High). It affects Elastic versions 8.15.0 through 8.19.9, as well as all 9.x versions up to 9.2.3. Kibana configurations allow you to turn off the connector type via the xpack setting. actions.enabledActionTypes setting as a temporary mitigation. Elastic Cloud Serverless customers remain unaffected due to continuous deployment practices. Users should upgrade to version 8.19.10, 9.1.10, or 9.2.4. CVE-2026-0543 demonstrates how improper input validation in Kibana’s email connector enables complete service disruption through specially crafted email address parameters. An attacker with connector execution privileges can submit malformed email formats that trigger excessive memory allocation, causing service-wide unavailability and requiring a manual server restart. This medium-severity flaw (CVSS 6.5) affects all 7.x versions and 8.x releases through 8.19.9, as well as 9.x versions up to 9.2.3. Fleet Memory Exhaustion Flaws Two additional resource-allocation vulnerabilities in Kibana Fleet enable denial-of-service attacks via bulk retrieval requests. CVE-2026-0531 and CVE-2026-0530 exploit unlimited database actions that can be triggered by low-privilege logged-in users. Both flaws carry identical CVSS scores of 6.5 and affect versions 7.10.0 and later, 8.x through 8.19.9, and 9.x through 9.2.3. No workarounds exist for these vulnerabilities. Elastic recommends applying the latest security releases immediately. Organizations unable to upgrade should implement network segmentation and access controls to restrict the modification of connector privileges. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News RondoDox Botnet Expands to 174 Exploits, Leveraging Residential IP Infrastructure at Scale Cyber Security News Fake Shipment Tracking Scams Surge in MEA, Stealing Banking Data Through Real-Time Phishing Cyber Security News IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026