Volerion logoVolerion
Volerion logoVolerion

Elastic Kibana Path Traversal Vulnerability Leading to Unauthorized Deletion of User Accounts

Vulnerability

A path traversal vulnerability exists in Kibana's dashboard management feature. It allows an authenticated user with limited permissions to create a dashboard using a specially crafted identifier. When an administrator tries to delete this dashboard, the request is mistakenly sent to an internal endpoint, which could lead to the unauthorized deletion of user accounts or other resources. This vulnerability affects Kibana versions 8.0.0 through 8.19.15 and 9.0.0 through 9.3.4.

Impact

Exploitation of this vulnerability could result in the unauthorized deletion of user accounts or other resources, depending on the internal endpoint to which the deletion request is redirected.

Remediation

Users can upgrade to Kibana versions 8.19.16 or 9.3.5, where this vulnerability has been fixed. For those unable to upgrade, it is recommended to restrict dashboard creation permissions to trusted users only and limit the dashboard deletion rights of administrators.

Added: May 28, 2026, 9:24 PM
Updated: May 28, 2026, 9:24 PM

Vulnerability Rating

Custom Algorithm
spread
5.7
impact
0.6
exploitability
4.6
remediation
7.9
relevance
9.2
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.