Elasticsearch
Search and analytics
Elastic drops a coordinated batch of security patches across its whole stack
◆Recent moves
- 2d ago
Kibana 7.17.15, 8.11.1 Security Update (ESA-2026-53)
The most severe fix in this batch: a High-rated (8.0) log-injection flaw in Kibana where unneutralized input written to logs could alter what operators see in a terminal. Resolved in 7.17.15 and 8.11.1; part of the July 1 advisory wave.
View source ↗ - 2d ago
Elasticsearch 7.17.24, 8.15.0 Security Update (ESA-2026-52)
An authenticated user could send a crafted bulk request to pin a node's CPU and starve it of capacity. Fixed in 7.17.24 and 8.15.0 — another entry in the same synchronized DoS-hardening batch.
View source ↗ - 2d ago
Kibana 8.16.3, 8.17.2 Security Update (ESA-2026-51)
An authorization gap let an authenticated user reference another user's AI Assistant conversation ID to read or modify a conversation they don't own. Fixed in Kibana 8.16.3 and 8.17.2; notable as it touches the newer AI Assistant surface.
View source ↗ - 2d ago
Kibana 8.18.9, 8.19.6, 9.0.8, 9.1.6 Security Update (ESA-2026-50)
With optional APM instrumentation enabled, sensitive request headers could land in application logs and be exposed to anyone with log access. Fixed across Kibana 8.18.9, 8.19.6, 9.0.8, and 9.1.6.
View source ↗ - 2d ago
Kibana 8.19.15, 9.3.4 Security Update (ESA-2026-49)
A crafted bulk-deletion request against the Timeline feature could exhaust resources and take Kibana down. Fixed in 8.19.15 and 9.3.4 — consistent with the batch's theme of throttling unbounded operations.
View source ↗ - 2d ago
Elastic Defend 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-46)
An authorization flaw in Elastic Defend let a low-privileged user view response-action data they shouldn't see. Fixed in 8.19.13, 9.2.7, and 9.3.2, extending the same-day advisory sweep into the endpoint-security product.
View source ↗