{
  "canonical_id": "kibana--ca14c406d9",
  "system_id": "kibana",
  "display_name": "Kibana",
  "category": "platforms",
  "advisory_mode": "core",
  "title": "Elasticsearch 8.19.8, 9.1.8 Security Update (ESA-2026-18)",
  "summary": "<p><strong>Deserialization of Untrusted Data in Elasticsearch Leading to Remote Code Execution</strong></p>\n<p>Dependency on Vulnerable Third-Party Component (CWE-1395) exists in PyTorch used by the machine learning model loading component in Elasticsearch that can allow an attacker to achieve remote code execution via Object Injection (CAPEC-586). Exploitation requires an attacker to have high-privileged access (the <code>machine_learning_admin</code> role) to upload and deploy a specially crafted, malicious model to the Elasticsearch cluster that triggers known vulnerabilities CVE-2025-32434.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.7</li>\n<li>9.x: All versions from 9.0.0 up to and including 9.1.7</li>\n<li>Versions 9.2.0+ were never affected</li>\n</ul>\n<p><strong>Affected Configurations:</strong></p>\n<p>The vulnerability affects Elasticsearch deployments that have ML nodes and where PyTorch-based NLP models can be uploaded and deployed.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.8, 9.1.8.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>Ensure that only trusted users are granted the machine_learning_admin role. Revoke this role from any users who do not have a legitimate need to upload or manage ML models.</p>\n<p>Disable ML entirely: If ML functionality is not required, set xpack.ml.enabled: false in elasticsearch.yml on all nodes. Note that this disables all ML features, not just PyTorch model loading.</p>\n<p>Only use models from trusted sources: As stated in the official Elastic documentation: \"PyTorch models can execute code on your Elasticsearch server, exposing your cluster to potential security vulnerabilities. Only use models from trusted sources and never use models from unverified or unknown providers.\"</p>\n<p><strong>Elastic Cloud Serverless</strong></p>\n<p>Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.</p>\n<p><strong>Severity:</strong> CVSSv3.1: High ( 7.2 ) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br>\n<strong>CVE ID</strong>: CVE-2025-32434<br>\n<strong>Problem Type:</strong> CWE-502 - Deserialization of Untrusted Data<br>\n<strong>Impact:</strong> CAPEC-586 - Object Injection</p>\n            <p><small>1 post - 1 participant</small></p>\n            <p><a href=\"https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534\">Read full topic</a></p>",
  "published_at": "Thu, 19 Mar 2026 16:59:18 +0000",
  "updated_at": "Thu, 19 Mar 2026 16:59:18 +0000",
  "severity": "unknown",
  "cvss_score": null,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534",
  "secondary_source_urls": [],
  "aliases": [],
  "cve_ids": [],
  "ghsa_ids": [],
  "osv_ids": [],
  "affected_versions": [],
  "fixed_versions": [],
  "package_name": null,
  "render_markdown": false,
  "case_path": null,
  "secure_code_topics": [
    "authz-server-side-recheck",
    "xss-output-encoding",
    "proxy-trust-boundary",
    "file-upload-validation",
    "dependency-upgrade-policy",
    "deserialization-safety"
  ],
  "status": "triage",
  "triage_reasons": [
    "missing affected/fixed version details"
  ],
  "entity_refs": [
    {
      "entity_id": "kibana",
      "entity_type": "system",
      "relation": "root-system",
      "root_system_id": "kibana",
      "official": true
    }
  ],
  "affected_components": [
    {
      "name": "Kibana",
      "entity_id": "kibana",
      "scope": "core",
      "package_name": null,
      "official": true
    }
  ],
  "affected_version_ranges": [],
  "fixed_version_ranges": [],
  "introduced_version": null,
  "patched_version": null,
  "version_evidence_sources": [
    "https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534"
  ],
  "affected_version_refs": [],
  "fixed_version_refs": [],
  "patched_version_refs": [],
  "version_sync_confidence": "low",
  "advisory_scope": "core",
  "version_confidence": "low",
  "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
  "version_resolution_needed": true,
  "workflow": {
    "workflow_id": "kibana--ca14c406d9--workflow",
    "vuln_family": "xss",
    "entry_surface": "web-ui-render-path",
    "preconditions": [
      "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
      "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
      "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
    ],
    "required_role": "editor-or-admin",
    "affected_version_assertion": [
      "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
    ],
    "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
    "request_or_ui_path": [
      "/admin/editor",
      "/preview",
      "/rendered-content"
    ],
    "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
    "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
    "server_evidence_points": [
      "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
      "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
    ],
    "browser_evidence_points": [
      "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
      "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
    ],
    "db_or_fs_evidence_points": [
      "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
      "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
    ],
    "detection_signals": [
      "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
      "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
    ],
    "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
    "patch_validation_steps": [
      "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
      "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
      "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
      "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
    ],
    "lab_safety_notes": [
      "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
      "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
      "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
    ],
    "review_state": "needs-version-gap-review"
  },
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "Elastic Security Announcements RSS"
    ],
    "source_kinds": [
      "rss-feed"
    ],
    "candidate_count": 1,
    "entity_ref_count": 1,
    "advisory_scope": "core",
    "version_confidence": "low",
    "workflow_id": "kibana--ca14c406d9--workflow"
  }
}