Elastic Patches Multiple Vulnerabilities Enabling Arbitrary File Theft and DoS Attacks - cyberpress.org

Elastic Patches Multiple Vulnerabilities Enabling Arbitrary File Theft and DoS Attacks By AnuPriya January 14, 2026 Categories: Cyber Security NewsCybersecurityVulnerabilities Elastic has released urgent security patches addressing four significant vulnerabilities in Kibana that could enable attackers to steal sensitive files, trigger service outages, and exhaust system resources. The advisories, published on January 14, 2026, affect multiple Kibana versions spanning from 7.x through 9.2.3, necessitating immediate patching across affected deployments. Critical File Disclosure and SSRF Vulnerability The most severe flaw, CVE-2026-0532, has a CVSS score of 8.6 and combines external file path control with server-side request forgery. The vulnerability resides in Kibana’s Google Gemini connector, allowing authenticated attackers with connector management privileges to craft malicious JSON payloads that can steal credentials and sensitive application data. By exploiting improper validation mechanisms, threat actors can trigger arbitrary network requests and read sensitive files directly from affected systems, potentially exposing configuration files, credentials, and application data stored on vulnerable servers. This attack vector requires authentication but poses a critical risk for organizations in which connector management permissions are widely distributed. CVE ID CVSS Score Severity Vulnerability Type CWE CVE-2026-0532 8.6 High SSRF & File Disclosure CWE-918, CWE-73 CVE-2026-0543 6.5 Medium Improper Input Validation CWE-20 CVE-2026-0531 6.5 Medium Uncontrolled Resource Allocation CWE-770 CVE-2026-0530 6.5 Medium Uncontrolled Resource Allocation CWE-770 Three medium-severity vulnerabilities introduce denial-of-service conditions via resource exhaustion mechanisms. CVE-2026-0530 and CVE-2026-0531 stem from uncontrolled resource allocation in Kibana Fleet, permitting low-privilege viewers to craft specially formatted bulk retrieval requests that trigger redundant database operations. These operations consume memory until the server crashes, rendering the platform unavailable to legitimate users. Similarly, CVE-2026-0543 affects the Email Connector, where improper input validation on email address parameters results in excessive resource consumption and complete service unavailability. The affected vulnerability chain indicates that organizations running unpatched Kibana installations face immediate exploitation risks from both external and internal threat actors. Elastic recommends urgent upgrades to version 8.19.10, 9.1.10, or 9.2.4, depending on the deployment branch. For organizations unable to upgrade immediately, Elastic provides limited mitigation options, including disabling specific connector types through the xpack.actions.enabledActionTypes configuration parameter. Organizations should prioritize patching efforts based on their deployment architecture and exposure level, with particular attention to systems accessible from untrusted networks or shared multi-tenant environments where authenticated users may execute connector operations. Notably, Elastic Cloud Serverless deployments received patches through continuous deployment models before public disclosure, shielding cloud-native users from exposure. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack AI March 28, 2026 Fake Certificate Loader Conceals BlankGrabber Malware Chain Cyber Security News March 28, 2026 Open VSX Vulnerability lets malicious extension go live Cyber Security News March 28, 2026 European Commission Confirms Cyberattack After AWS Account Breach AWS March 28, 2026 BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers Cyber Security News March 27, 2026 Related Stories AI Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack Mayura - March 28, 2026 Cyber Security News Fake Certificate Loader Conceals BlankGrabber Malware Chain Mayura - March 28, 2026 Cyber Security News Open VSX Vulnerability lets malicious extension go live Mayura - March 28, 2026 AWS European Commission Confirms Cyberattack After AWS Account Breach Mayura - March 28, 2026 Cyber Security News BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers AnuPriya - March 27, 2026 Cyber Security News VoidLink Rootkit Exploits eBPF and Kernel Modules For Stealth On Linux Varshini - March 27, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: