CVE-2026-33463 PUBLISHED

Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access

Assigner: elastic
Reserved: 20.03.2026 Published: 28.05.2026 Updated: 28.05.2026

Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Elastic
Product	Kibana
Versions	Default: unaffected affected from 8.0.0 to 8.19.15 (incl.) affected from 9.0.0 to 9.3.4 (incl.)

References

https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551

Problem Types

CWE-672 Operation on a Resource after Expiration or Release CWE

Impacts

CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions