Ddos 
Elastic has released a massive security update addressing seven distinct vulnerabilities across its ecosystem, urging administrators to patch immediately against threats ranging from arbitrary file theft to crippling Denial-of-Service (DoS) attacks. The advisory covers a wide blast radius, affecting Elasticsearch, Kibana, Packetbeat, and Metricbeat, with the most severe flaws allowing attackers to read sensitive files or peek into memory buffers.
The most alarming vulnerability in the batch is a high-severity flaw (CVSS 8.6) in the Google Gemini connector. Tracked as CVE-2026-0532, this vulnerability exposes the system to Server-Side Request Forgery (SSRF) and Arbitrary File Disclosure.
The issue stems from insufficient validation when the server processes configuration data. According to the advisory, an attacker with privileges to create or modify connectors can exploit this by submitting a “specially crafted credentials JSON payload”. Successful exploitation allows the attacker to force the server into making arbitrary network requests or revealing local files.
Elasticsearch itself is hit by a tricky Information Disclosure vulnerability, rated with a CVSS score of 8.4. This flaw resides in the yawkat LZ4 Java library, a component used for data compression.
The vulnerability allows an attacker to “read previous buffer contents through specially crafted compressed input sent via the transport layer”. Essentially, by manipulating the compressed data stream, an attacker can trick the system into leaking data that should have been overwritten or inaccessible.
Administrators who cannot patch immediately are advised to switch their transport compression scheme to deflate or disable compression entirely to bypass the vulnerable LZ4 decompressor.
The update also addresses a trio of Denial-of-Service vulnerabilities affecting Kibana, Elastic’s visualization dashboard.
- Email Connector Crash (CVE-2026-0543): A flaw in the Email Connector allows an authenticated attacker to send a “specially crafted email address parameter,” triggering an “excessive allocation” of resources that crashes the service for all users.
- Fleet Database Overload (CVE-2026-0531): In Kibana Fleet, a user with low-level “viewer” privileges can send a bulk retrieval request that forces the application into “redundant database retrieval operations,” consuming memory until the server crashes.
- Resource Exhaustion (CVE-2026-0530): Similarly, another flaw in Fleet allows attackers to trigger redundant processing operations, leading to service degradation.
Finally, the “Beats” family of data shippers received patches for two vulnerabilities, both rated CVSS 6.5:
- Packetbeat (CVE-2026-0529): The MongoDB protocol parser is vulnerable to a buffer overflow. An attacker can exploit this by sending “specially crafted network traffic” to a monitored interface.
- Metricbeat (CVE-2026-0528): A validation flaw in the Graphite, Zookeeper, and Prometheus modules allows attackers to cause a Denial of Service via malformed metric data.
Elastic has released versions 8.19.10, 9.1.10, and 9.2.4 to resolve all seven vulnerabilities. Users are strongly recommended to upgrade their stack immediately to close these potential entry points.
Related Posts:
- Elastic Fixes Multiple High-Severity Vulnerabilities in Kibana and Elasticsearch
- Massive Data Leak: Misconfigured Elasticsearch Server Exposes Hundreds of Millions of Swedish Records
- Copilot Connector Feature Unlocked: Microsoft AI Can Now Search and Integrate Google and Microsoft Cloud Data
- Critical Bubble.io Vulnerability Exposes Apps to Data Theft via Elasticsearch, No Patch
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
