Our news and updates

In Kibana all versions from 8.0.0 up to and including 8.19.13, all versions from 9.0.0 up to and including 9.2.7 and all versions from 9.3.0 up to and including 9.3.2 a high severity vulnerability CVE-2026-33461 was detected. This vulnerability allows attackers with limited Fleet privileges to access sensitive configuration data, including private keys and authentication tokens, by exploiting an internal API endpoint that bypasses proper authorization checks. To address this issue, users should upgrade Kibana to versions 8.19.14, 9.2.8, or 9.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33461.

In Kibana all versions from 8.0.0 up to and including 8.19.13, all versions from 9.0.0 up to and including 9.2.7 and all versions from 9.3.0 up to and including 9.3.2 a medium severity vulnerability CVE-2026-33460 was detected. This vulnerability allows attackers with Fleet agent management privileges to access Fleet Server policy details from other spaces by exploiting an internal enrollment endpoint that bypasses space-scoped authorization controls. To address this issue, users should upgrade Kibana to versions 8.19.14, 9.2.8, or 9.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33460.

In Kibana all versions from 8.0.0 up to and including 8.19.13, all versions from 9.0.0 up to and including 9.2.7 and all versions from 9.3.0 up to and including 9.3.2 a high severity vulnerability CVE-2026-33459 was detected. This vulnerability allows authenticated users to cause denial of service (DoS) by submitting specially crafted requests with excessively large input values to the automatic import feature, leading to excessive resource consumption and service disruption. To address this issue, users should upgrade Kibana to versions 8.19.14, 9.2.8, or 9.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33459.

In Kibana all versions from 9.3.0 up to and including 9.3.2 a high severity vulnerability CVE-2026-33458 was detected. This vulnerability allows authenticated users with workflow creation and execution privileges to perform server-side request forgery (SSRF) by bypassing host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. To address this issue, users should upgrade Kibana to version 9.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33458.

In Kibana all versions from 8.0.0 up to and including 8.19.13, all versions from 9.0.0 up to and including 9.2.7 and all versions from 9.3.0 up to and including 9.3.2 a high severity vulnerability CVE-2026-4498 was detected. This vulnerability allows authenticated users with Fleet sub-feature privileges to read index data beyond their intended Elasticsearch RBAC scope due to execution with unnecessary privileges in debug route handlers. To address this issue, users should upgrade Kibana to versions 8.19.14, 9.2.8, or 9.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4498.

In GitLab EE versions 18.0.0 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-1516 was detected. This vulnerability allows authenticated users to leak IP addresses of other users viewing Code Quality reports via specially crafted report content due to improper handling of generated code. To address this issue, users should upgrade GitLab EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1516.

In GitLab EE versions 18.2 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a medium severity vulnerability CVE-2026-1101 was detected. This vulnerability allows authenticated users to cause denial of service (DoS) to the GitLab instance due to improper input validation in GraphQL queries. To address this issue, users should upgrade GitLab EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1101.

In GitLab CE/EE versions 12.10 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a high severity vulnerability CVE-2026-1092 was detected. This vulnerability allows unauthenticated users to cause denial of service (DoS) due to improper input validation of JSON payloads. To address this issue, users should upgrade GitLab CE/EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1092.

In GitLab CE/EE versions 13.0 up to before 18.8.9, 18.9 up to before 18.9.5, and 18.10 up to before 18.10.3 a high severity vulnerability CVE-2025-12664 was detected. This vulnerability allows unauthenticated users to cause denial of service (DoS) by sending repeated GraphQL queries due to improper input validation and request handling. To address this issue, users should upgrade GitLab CE/EE to versions 18.8.9, 18.9.5, or 18.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12664.