Elastic Patches Multiple Vulnerabilities That Enables Arbitrary
Critical security updates from Elastic address four significant vulnerabilities across its stack, including a high-severity flaw that permits arbitrary file disclosure through compromised connector...
Critical security updates from Elastic address four significant vulnerabilities across its stack, including a high-severity flaw that permits arbitrary file disclosure through compromised connector configurations.
The patches resolve issues affecting file handling, input validation, and resource allocation mechanisms in Kibana and related components.
The most severe vulnerability combines external file path control with server-side request forgery capabilities, allowing authenticated attackers to extract arbitrary files from affected systems.
| CVE ID | Vulnerability | CVSS Score | Severity | Affected Versions |
|---|---|---|---|---|
| CVE-2026-0532 | External Control of File Name or Path (CWE-73) + Server-Side Request Forgery (CWE-918) | 8.6 | High | 8.15.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 |
| CVE-2026-0543 | Improper Input Validation (CWE-20) in Email Connector | 6.5 | Medium | 7.x all, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 |
| CVE-2026-0531 | Allocation of Resources Without Limits (CWE-770) in Fleet | 6.5 | Medium | 7.10.0–7.17.29, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 |
| CVE-2026-0530 | Allocation of Resources Without Limits (CWE-770) in Fleet | 6.5 | Medium | 7.10.0–7.17.29, 8.0.0–8.19.9, 9.0.0–9.1.9, 9.2.0–9.2.3 |
CVE-2026-0532 stems from insufficient validation of credentials JSON payloads when processing them in the Google Gemini connector configuration.
An attacker with connector creation or modification privileges can craft malicious configurations to trigger unauthorized network requests and arbitrary file reads.
The vulnerability carries a CVSS 3.1 score of 8.6 (High). It affects Elastic versions 8.15.0 through 8.19.9, as well as all 9.x versions up to 9.2.3.
Kibana configurations allow you to turn off the connector type via the xpack setting. actions.enabledActionTypes setting as a temporary mitigation.
Elastic Cloud Serverless customers remain unaffected due to continuous deployment practices. Users should upgrade to version 8.19.10, 9.1.10, or 9.2.4.
CVE-2026-0543 demonstrates how improper input validation in Kibana’s email connector enables complete service disruption through specially crafted email address parameters.
An attacker with connector execution privileges can submit malformed email formats that trigger excessive memory allocation, causing service-wide unavailability and requiring a manual server restart.
This medium-severity flaw (CVSS 6.5) affects all 7.x versions and 8.x releases through 8.19.9, as well as 9.x versions up to 9.2.3.
Fleet Memory Exhaustion Flaws
Two additional resource-allocation vulnerabilities in Kibana Fleet enable denial-of-service attacks via bulk retrieval requests.
CVE-2026-0531 and CVE-2026-0530 exploit unlimited database actions that can be triggered by low-privilege logged-in users.
Both flaws carry identical CVSS scores of 6.5 and affect versions 7.10.0 and later, 8.x through 8.19.9, and 9.x through 9.2.3. No workarounds exist for these vulnerabilities.
Elastic recommends applying the latest security releases immediately. Organizations unable to upgrade should implement network segmentation and access controls to restrict the modification of connector privileges.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.