Elastic Patches Multiple Vulnerabilities Enabling Arbitrary File Theft and DoS Attacks - cyberpress.org

Elastic Patches Multiple Vulnerabilities Enabling Arbitrary File Theft and DoS Attacks By AnuPriya January 14, 2026 Categories: Cyber Security NewsCybersecurityVulnerabilities Elastic has released urgent security patches addressing four significant vulnerabilities in Kibana that could enable attackers to steal sensitive files, trigger service outages, and exhaust system resources. The advisories, published on January 14, 2026, affect multiple Kibana versions spanning from 7.x through 9.2.3, necessitating immediate patching across affected deployments. Critical File Disclosure and SSRF Vulnerability The most severe flaw, CVE-2026-0532, has a CVSS score of 8.6 and combines external file path control with server-side request forgery. The vulnerability resides in Kibana’s Google Gemini connector, allowing authenticated attackers with connector management privileges to craft malicious JSON payloads that can steal credentials and sensitive application data. By exploiting improper validation mechanisms, threat actors can trigger arbitrary network requests and read sensitive files directly from affected systems, potentially exposing configuration files, credentials, and application data stored on vulnerable servers. This attack vector requires authentication but poses a critical risk for organizations in which connector management permissions are widely distributed. CVE ID CVSS Score Severity Vulnerability Type CWE CVE-2026-0532 8.6 High SSRF & File Disclosure CWE-918, CWE-73 CVE-2026-0543 6.5 Medium Improper Input Validation CWE-20 CVE-2026-0531 6.5 Medium Uncontrolled Resource Allocation CWE-770 CVE-2026-0530 6.5 Medium Uncontrolled Resource Allocation CWE-770 Three medium-severity vulnerabilities introduce denial-of-service conditions via resource exhaustion mechanisms. CVE-2026-0530 and CVE-2026-0531 stem from uncontrolled resource allocation in Kibana Fleet, permitting low-privilege viewers to craft specially formatted bulk retrieval requests that trigger redundant database operations. These operations consume memory until the server crashes, rendering the platform unavailable to legitimate users. Similarly, CVE-2026-0543 affects the Email Connector, where improper input validation on email address parameters results in excessive resource consumption and complete service unavailability. The affected vulnerability chain indicates that organizations running unpatched Kibana installations face immediate exploitation risks from both external and internal threat actors. Elastic recommends urgent upgrades to version 8.19.10, 9.1.10, or 9.2.4, depending on the deployment branch. For organizations unable to upgrade immediately, Elastic provides limited mitigation options, including disabling specific connector types through the xpack.actions.enabledActionTypes configuration parameter. Organizations should prioritize patching efforts based on their deployment architecture and exposure level, with particular attention to systems accessible from untrusted networks or shared multi-tenant environments where authenticated users may execute connector operations. Notably, Elastic Cloud Serverless deployments received patches through continuous deployment models before public disclosure, shielding cloud-native users from exposure. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Oracle Releases Urgent Patch for Critical RCE Flaw in Identity Manager and Web Services Manager Cyber Security News March 21, 2026 Threat Actors Leverage Copyright-Themed Emails to Drop PureLog Stealer Cyber Security News March 21, 2026 Google Chrome Update Fixes 26 Security Flaws, Including RCE Vulnerabilities Cyber Security News March 20, 2026 Critical UNISOC T612 Modem Flaw Enables RCE via Cellular Calls Cyber Security News March 20, 2026 Fake Tools Fuel Vibe-Coded Malware Campaign Targeting Unsuspecting Users cryptocurrency March 20, 2026 Related Stories Cyber Security News Oracle Releases Urgent Patch for Critical RCE Flaw in Identity Manager and Web Services Manager Divya - March 21, 2026 Cyber Security News Threat Actors Leverage Copyright-Themed Emails to Drop PureLog Stealer Divya - March 21, 2026 Cyber Security News Google Chrome Update Fixes 26 Security Flaws, Including RCE Vulnerabilities AnuPriya - March 20, 2026 Cyber Security News Critical UNISOC T612 Modem Flaw Enables RCE via Cellular Calls AnuPriya - March 20, 2026 cryptocurrency Fake Tools Fuel Vibe-Coded Malware Campaign Targeting Unsuspecting Users Varshini - March 20, 2026 APT Cobra DocGuard Hijacked By Speagle Malware For Sensitive Data Theft Varshini - March 20, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: