Kibana Security Flaw: Malicious Tar Archives Can Exploit Hardlink Validation to Write Outside Intended Directory

A newly disclosed vulnerability in Kibana's archive extraction process allows a maliciously crafted tar archive to bypass directory constraints and write files to arbitrary locations on the host filesystem. The flaw, tracked as CVE-2026-26960, resides in the `tar.extract()` function, which fails to properly validate the targets of hardlinks within an archive. This oversight enables an attacker to create a hardlink that points to a file outside the designated extraction directory, potentially leading to unauthorized file system access or manipulation.

The vulnerability was identified during an analysis of Kibana's archive extraction functionality. The core issue is that the extraction logic does not check if a hardlink's target resolves to a path within the intended extraction boundary. Consequently, a specially designed tar file could contain a hardlink that, when extracted, references a sensitive system file elsewhere on the server. This type of path traversal via hardlinks represents a significant deviation from secure extraction practices and poses a direct risk to the integrity and confidentiality of the Kibana host environment.

This flaw places any Kibana instance that processes user-uploaded or untrusted tar archives at immediate risk. The potential for arbitrary file writes outside the sandboxed extraction area could be leveraged to overwrite critical configuration files, plant backdoors, or stage further attacks. System administrators and DevOps teams relying on Kibana's data import or plugin mechanisms should scrutinize this CVE. Mitigation likely requires patching the `tar.extract()` function to validate all hardlink targets against the extraction root directory before creating the link, a fix that Elastic, Kibana's maintainer, is expected to address urgently.