CVE-2026-33462 MEDIUM

CVE-2026-33462: Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

Vendor Elastic
Product Kibana
Weakness CWE-22 · Path traversal
Published May 28, 2026
Last update May 29, 2026

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated