CVE-2026-42401
Analyzed Analyzed - Analysis Complete
Stored HTML Injection in Kibana

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: Elastic

Description
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-42401
EUVD
EUVD-2026-33012
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.16 (exc)
elastic kibana From 9.0.0 (inc) to 9.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42401 is a vulnerability in Kibana versions 8.x and 9.x that involves improper neutralization of input during web page generation, leading to stored HTML injection.

A user with write access to an Elasticsearch index can inject crafted markup that is not properly sanitized when rendered in Kibana views for other users.

This flaw allows attackers to manipulate the user interface and cause outbound network requests from the affected user's browser session.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized manipulation of the Kibana user interface.

It can also cause outbound network requests to be issued from the browser session of the user viewing the injected content, potentially leading to further attacks or data leakage.

Detection Guidance

Detection of this vulnerability involves identifying if your Kibana installation is within the affected versions (8.0.0 to 8.19.15 or 9.0.0 to 9.3.4) and if there is any presence of stored HTML injection attempts in Elasticsearch indices writable by users.

Since the vulnerability involves stored HTML injection via user input in Elasticsearch indices, you can inspect the data stored in these indices for suspicious or crafted markup that could be malicious.

There are no specific commands provided in the resources, but general approaches include querying Elasticsearch indices for unusual HTML or script tags in fields that accept user input.

  • Use Elasticsearch query DSL to search for suspicious markup, for example: a query searching for '<script>' or other HTML tags in relevant fields.
  • Check the Kibana version by running: `kibana --version` or checking the Kibana UI about page to confirm if it is within the vulnerable range.
Mitigation Strategies

The primary mitigation step is to upgrade Kibana to a fixed version: 8.19.16 or later for the 8.x series, or 9.3.5 or later for the 9.x series.

Restrict write access to Elasticsearch indices to trusted users only, minimizing the risk of malicious markup injection.

Monitor and sanitize user inputs that are stored in Elasticsearch indices to prevent injection of crafted markup.

Since this vulnerability affects self-hosted plugins and deployments, consider reviewing plugin configurations and disabling any unnecessary plugins that might increase risk.

Compliance Impact

The vulnerability in Kibana (CVE-2026-42401) involves stored HTML injection that can lead to unauthorized UI manipulation and outbound network requests from a user's browser session. Such unauthorized actions could potentially expose sensitive data or allow unauthorized access, which may impact compliance with standards like GDPR or HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart