CVE-2026-49088
MEDIUMInsertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Kibana | — | — | No patch |
Do you use Kibana? You're affected.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-49088?
Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.
Is CVE-2026-49088 actively exploited?
No confirmed active exploitation of CVE-2026-49088 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-49088?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-49088?
CVE-2026-49088 has a CVSS v3.1 base score of 4.4 (MEDIUM).
What are the technical details?
Original Advisory
Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.
Weaknesses (CWE)
CWE-532 — Insertion of Sensitive Information into Log File: The product writes sensitive information to a log file.
- [Architecture and Design, Implementation] Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
- [Distribution] Remove debug log files before deploying the application into production.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N