← Back to all sparks
Elasticsearch logo

Elasticsearch

DEVOPSINFRA · APIS
Velocity5.0

Search and analytics

Elastic drops a coordinated batch of security patches across its whole stack

securitycvedenial-of-servicekibanaelasticsearchpatch-management
Current state
Elastic's crawled feed here is its security advisory stream (ESA), not a product changelog. On July 1 it disclosed a synchronized wave of CVEs spanning Kibana, Elasticsearch, Fleet Server, and Elastic Defend. Most are Medium-severity denial-of-service or authorization issues resolved at the patch level; the standout is a High-severity (8.0) Kibana log-injection flaw.
Where it's heading
The concentration of resource-exhaustion DoS fixes across authenticated request paths — bulk APIs, machine-learning requests, Fleet uploads, Timeline deletes — reads as systematic hardening of input handling rather than any feature direction. Elastic notes Serverless was remediated ahead of public disclosure under its continuous-deployment model. Because this feed surfaces advisories, product-direction signal is not visible in these entries.
Prediction
Expect continued patch-level advisories along the same DoS and authorization lines; the feed as crawled will keep surfacing security disclosures rather than product features, so roadmap direction cannot be read from it.

Recent moves

  1. 2d ago

    Kibana 7.17.15, 8.11.1 Security Update (ESA-2026-53)

    The most severe fix in this batch: a High-rated (8.0) log-injection flaw in Kibana where unneutralized input written to logs could alter what operators see in a terminal. Resolved in 7.17.15 and 8.11.1; part of the July 1 advisory wave.

    View source ↗
  2. 2d ago

    Elasticsearch 7.17.24, 8.15.0 Security Update (ESA-2026-52)

    An authenticated user could send a crafted bulk request to pin a node's CPU and starve it of capacity. Fixed in 7.17.24 and 8.15.0 — another entry in the same synchronized DoS-hardening batch.

    View source ↗
  3. 2d ago

    Kibana 8.16.3, 8.17.2 Security Update (ESA-2026-51)

    An authorization gap let an authenticated user reference another user's AI Assistant conversation ID to read or modify a conversation they don't own. Fixed in Kibana 8.16.3 and 8.17.2; notable as it touches the newer AI Assistant surface.

    View source ↗
  4. 2d ago

    Kibana 8.18.9, 8.19.6, 9.0.8, 9.1.6 Security Update (ESA-2026-50)

    With optional APM instrumentation enabled, sensitive request headers could land in application logs and be exposed to anyone with log access. Fixed across Kibana 8.18.9, 8.19.6, 9.0.8, and 9.1.6.

    View source ↗
  5. 2d ago

    Kibana 8.19.15, 9.3.4 Security Update (ESA-2026-49)

    A crafted bulk-deletion request against the Timeline feature could exhaust resources and take Kibana down. Fixed in 8.19.15 and 9.3.4 — consistent with the batch's theme of throttling unbounded operations.

    View source ↗
  6. 2d ago

    Elastic Defend 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-46)

    An authorization flaw in Elastic Defend let a low-privileged user view response-action data they shouldn't see. Fixed in 8.19.13, 9.2.7, and 9.3.2, extending the same-day advisory sweep into the endpoint-security product.

    View source ↗