CVE Catalog

CVE-2026-49088

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.

Risk Assessment

Operators with log access could obtain confidential data such as tokens or API keys, leading to information disclosure and potential data breach.

Recommendation

Disable optional APM instrumentation if not needed, or configure logging to exclude sensitive headers. Restrict log file access to authorized personnel only.

Original NVD description (English source)

Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS