Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
The attacker exploits the prototype pollution mechanism (CWE-1321) by uploading a specially crafted file and sending appropriately constructed HTTP requests. Manipulation of JavaScript object prototypes allows injection and execution of malicious code on the server side. In Kibana versions >= 8.15.0 and < 8.17.1, the exploit is available to any user with the Viewer role. In versions 8.17.1 and 8.17.2, the vulnerability is exploitable only by users possessing all of the following permissions: fleet-all, integrations-all, and actions:execute-advanced-connectors.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the context of the Kibana server, which may lead to complete system takeover, data breach, and compromise of integrity and availability of the environment.
Kibana must be updated to version 8.17.3 or 8.16.6 according to information published by Elastic (ESA-2025-06). Details available at: https://discuss.elastic.co/t/kibana-8-17-3-8-16-6-security-update-esa-2025-06/375441
Elastic Kibana in versions >= 8.15.0 and < 8.17.1 (exploitable by users with Viewer role) and versions 8.17.1 and 8.17.2 (exploitable by users with fleet-all, integrations-all, actions:execute-advanced-connectors permissions).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HElastic Kibana
APPElastic8.15.0 – 8.16.6 (bez)8.17.0 – 8.17.3 (bez)
Related vulnerabilities
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...
Prototype Pollution w Kibana prowadzące do RCE przez HTTP
RCE przez deserializację YAML w Elastic Kibana
Deserializacja YAML w Kibana umożliwia zdalne wykonanie kodu (RCE)
RCE w Kibana — prototype pollution przez ML i Alerting connector