CVE-2026-33463
Received Received - Intake
Kibana Token Expiration Logic Error Leads to Unauthorized Access

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Elastic

Description
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-29
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-33463
EUVD
EUVD-2026-33011
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.15 (inc)
elastic kibana From 9.0.0 (inc) to 9.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33463 is a security vulnerability in Kibana versions 8.x (from 8.0.0 to 8.19.15) and 9.x (from 9.0.0 to 9.3.4) caused by a logic error in how expiration timestamps are validated for time-bounded access tokens.

This error allows these tokens to remain usable beyond their intended expiration time, meaning an unauthorized actor who has such a token can still access the associated content after the token should have expired.

The vulnerability specifically affects deployments using the public file sharing feature to issue time-limited download links. Deployments that do not use public share tokens are not affected.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized information disclosure because an attacker with a time-bounded access token can retrieve content even after the token's expiration.

Since the vulnerability does not impact integrity or availability, the main risk is that sensitive or private information shared via public file sharing could be accessed by unauthorized users beyond the intended time window.

If you use Kibana's public file sharing feature to issue time-limited download links, this could expose your shared files to unauthorized access.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a logic error in expiration timestamp validation for time-bounded access tokens used in Kibana's public file sharing feature. Detection involves identifying if any expired public share tokens are still being accepted by the system.

Since the issue specifically affects public file share tokens, you can check for active or expired tokens in your Kibana deployment related to public file sharing.

No specific commands are provided in the available resources to detect this vulnerability directly on your network or system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade Kibana to version 8.19.16 or 9.3.5 where the issue is resolved.

  • If upgrading is not possible immediately, revoke all active public file share tokens.
  • Avoid issuing new public file share tokens until the upgrade is applied.
  • Restrict file-sharing access to trusted administrators only.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart