{"id":"CVE-2026-49091","summary":"Improper Output Neutralization for Logs in Kibana Leading to Log Injection","details":"Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.","modified":"2026-07-15T01:48:54.029361532Z","published":"2026-07-01T17:21:28.544Z","database_specific":{"cna_assigner":"elastic","cwe_ids":["CWE-116"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49091.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"8.0.0"},{"last_affected":"8.11.0"},{"introduced":"7.0.0"},{"last_affected":"7.17.14"}]}]},"references":[{"type":"WEB","url":"https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49091.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49091"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"b7e28a7232616c7a21bc879a535d801b8553ba77"},{"fixed":"0b8ecfb4378335f4689c4223d1f1115f16bef3ba"},{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"6f9ff581fbcde658e6f69d6ce03050f060d1fd0c"}],"database_specific":{"cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.17.15"},{"introduced":"8.0.0"},{"fixed":"8.11.1"}],"source":"CPE_RANGE"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49091.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"},{"fixed":"60e0d4fa38a2c99350f1533c141f641edbb8e608"},{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"09feaf416f986b239b8e8ad95ecdda0f9d56ebec"}],"database_specific":{"extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.17.15"},{"introduced":"8.0.0"},{"fixed":"8.11.1"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49091.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}