CVE-2026-33463
Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access
5.3
MEDIUM
CVSS 3.1
EPSS 0.07%
Description
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.
How to fix CVE-2026-33463
To remediate CVE-2026-33463, upgrade the affected package to a fixed version below.
- —upgrade to 8.19.16 or later
- —upgrade to 8.19.16 or later
Is CVE-2026-33463 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5
- >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |