{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.17.15"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.11.1"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "b7e28a7232616c7a21bc879a535d801b8553ba77"
            },
            {
              "fixed": "0b8ecfb4378335f4689c4223d1f1115f16bef3ba"
            },
            {
              "introduced": "1b6a7ece17463df5ff54a3e1302d825889aa1161"
            },
            {
              "fixed": "6f9ff581fbcde658e6f69d6ce03050f060d1fd0c"
            }
          ],
          "repo": "https://github.com/elastic/elasticsearch",
          "type": "GIT"
        }
      ]
    },
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.17.15"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.11.1"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"
            },
            {
              "fixed": "60e0d4fa38a2c99350f1533c141f641edbb8e608"
            },
            {
              "introduced": "57ca5e139a33dd2eed927ce98d8231a1f217cd15"
            },
            {
              "fixed": "09feaf416f986b239b8e8ad95ecdda0f9d56ebec"
            }
          ],
          "repo": "https://github.com/elastic/kibana",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "elastic",
    "cwe_ids": [
      "CWE-116"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49091.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "8.0.0"
          },
          {
            "last_affected": "8.11.0"
          },
          {
            "introduced": "7.0.0"
          },
          {
            "last_affected": "7.17.14"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.",
  "id": "CVE-2026-49091",
  "modified": "2026-07-15T01:48:54.029361532Z",
  "published": "2026-07-01T17:21:28.544Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49091.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49091"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Output Neutralization for Logs in Kibana Leading to Log Injection"
}