CVE-2026-33463 | THREATINT

Description

Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration.

PUBLISHED Reserved 2026-03-20 | Published 2026-05-28 | Updated 2026-05-29 | Assigner elastic

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-672 Operation on a Resource after Expiration or Release

Product status

Default status

unaffected

8.0.0 (semver)

affected

9.0.0 (semver)

affected

References

discuss.elastic.co/...3-5-security-update-esa-2026-33/386551

cve.org (CVE-2026-33463)

nvd.nist.gov (CVE-2026-33463)

Download JSON