CVE-2026-49088
MediumCVSS 4.4Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.
Risk Assessment
Operators with log access could obtain confidential data such as tokens or API keys, leading to information disclosure and potential data breach.
Recommendation
Disable optional APM instrumentation if not needed, or configure logging to exclude sensitive headers. Restrict log file access to authorized personnel only.
Original NVD description (English source)
Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.

