LoginSign Up
← Back to all sparks
Elasticsearch logo

Elasticsearch

DEVOPSINFRA · APIS
Velocity6.3

Search and analytics

elastic.co

Elastic ships a coordinated wave of Kibana CVE patches alongside steady Rally tooling work.

securitykibanacvedenial-of-servicessrfbenchmarking
Current state
Elastic's recent feed is dominated by a single-day cluster of Kibana security advisories (ESA-2026-32 through 40): SSRF, denial-of-service, privilege-escalation, and stored-injection fixes spanning the 8.19, 9.2, 9.3, and 9.4 branches. The only feature-bearing release is Rally 2.13.0, the benchmarking harness.
Where it's heading
This is security-hardening mode. A large, synchronized advisory drop points to an internal audit or coordinated-disclosure cycle rather than feature momentum. Rally aside, the product surface is being patched, not expanded.
Prediction
Expect follow-on point releases (9.4.x, 8.19.x) consolidating these fixes and a return to feature changelogs once the advisory backlog clears. Watch whether more ESA numbers in this sequence surface.

Recent moves

  1. 6d ago

    Rally 2.13.0 released

    Rally 2.13.0 adds a track-rendering command, ES|QL profiling with operator timing, and API-key auth, and drops Python 3.9 - steady tooling progress for Elastic's benchmarking harness.

    View source ↗
  2. 12d ago

    Kibana 9.3.3 Security Update (ESA-2026-40)

    An SSRF fix in Kibana 9.3.3 (ESA-2026-40) lets an authenticated connector-admin bypass the egress allowlist; one of a large coordinated security release.

    View source ↗
  3. 12d ago

    Kibana 8.19.16 Security Update (ESA-2026-39)

    A DoS fix in Kibana 8.19.16 (ESA-2026-39): a viewer-level user could exhaust CPU and memory via oversized analytics input. Patch-and-upgrade maintenance.

    View source ↗
  4. 12d ago

    Kibana Fleet 8.19.16, 9.3.5, and 9.4.2 Security Update (ESA-2026-38)

    A Fleet privilege-escalation fix (ESA-2026-38) across 8.19.16/9.3.5/9.4.2 - agents could be issued over-privileged API keys. The most serious of this batch.

    View source ↗
  5. 12d ago

    Kibana 9.2.8, and 9.3.2 Security Update (ESA-2026-37)

    Another Kibana SSRF allowlist-bypass, this one via a crafted Webhook connector (ESA-2026-37) - same class as ESA-40, different vector.

    View source ↗
  6. 12d ago

    Kibana 8.19.16, and 9.3.5 Security Update (ESA-2026-36)

    A DoS fix for deeply chained Timelion expressions (ESA-2026-36): a low-privilege user could trigger unbounded memory growth and crash Kibana. Patched.

    View source ↗