CVE-2019-7609

CRITICAL KEV NUCLEI LAB

Kibana Timelion Prototype Pollution RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2019-7609 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022. EIP tracks 17 public exploits from researchers including LandGrey, jas502n, mpgn, including a Metasploit module exploits/linux/http/kibana_timelion_prototype_pollution_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 5.6.15 and < 6.6.1. It leverages the Timelion API to inject malicious payloads, achieving RCE via Node.js child_process execution.

Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Exploits (17)

nomisec WORKING POC 166 stars
by LandGrey · remote
https://github.com/LandGrey/CVE-2019-7609

This PoC exploits CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 5.6.15 and < 6.6.1. It leverages the Timelion API to inject malicious payloads, achieving RCE via Node.js child_process execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 5.6.15, < 6.6.1
No auth needed
Prerequisites: Network access to Kibana API · Timelion plugin enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 89 stars
by jas502n · remote
https://github.com/jas502n/kibana-RCE

This PoC demonstrates a remote code execution (RCE) vulnerability in Kibana versions prior to 6.6.0 by exploiting the Timelion and Canvas features to inject malicious commands via prototype pollution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana <6.6.0
No auth needed
Prerequisites: Timelion and Canvas features enabled · Network access to the vulnerable Kibana instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 56 stars
by mpgn · remote-auth
https://github.com/mpgn/CVE-2019-7609

This repository contains a working proof-of-concept exploit for CVE-2019-7609, a prototype pollution vulnerability in Kibana's Timelion visualizer. The exploit leverages JavaScript payloads to achieve remote code execution (RCE) by manipulating the prototype chain and executing arbitrary commands via Node.js child_process.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana versions before 5.6.15 and 6.6.1
Auth required
Prerequisites: Access to the Timelion application in Kibana · Network connectivity to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 21 stars
by hekadan · remote
https://github.com/hekadan/CVE-2019-7609

This repository provides a working proof-of-concept exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana's Timelion visualizer. The exploit leverages prototype pollution to execute arbitrary commands via a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1 or < 5.6.15
No auth needed
Prerequisites: Access to Kibana's Timelion interface · Network connectivity to the attacker's reverse shell listener
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Cr4ckC4t · remote
https://github.com/Cr4ckC4t/cve-2019-7609

This is a Python-based exploit for CVE-2019-7609, targeting Kibana versions before 5.6.15 and 6.6.0. It achieves RCE by injecting a reverse shell payload via the Timelion visualizer API.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 5.6.15 and 6.0.0 <= Kibana < 6.6.0
No auth needed
Prerequisites: Network access to the Kibana server · Listener set up for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Akshay15-png · remote
https://github.com/Akshay15-png/CVE-2019-7609

This is a Python-based exploit for CVE-2019-7609, targeting Kibana versions before 6.6.1. It achieves remote code execution (RCE) by exploiting a vulnerability in the Timelion API to inject a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Network access to the Kibana instance · Kibana version < 6.6.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by dnr6419 · poc
https://github.com/dnr6419/CVE-2019-7609

This repository provides a writeup and setup instructions for exploiting CVE-2019-7609, a prototype pollution vulnerability in Kibana's Timelion visualizer that can lead to RCE or DoS. It includes references to external sources and debugging setup but lacks actual exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Kibana versions before 5.6.15 and 6.6.1
No auth needed
Prerequisites: Docker environment · Kibana instance with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by rhbb · remote
https://github.com/rhbb/CVE-2019-7609

This PoC exploits CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 5.6.15 and < 6.6.1. It leverages the Timelion API to inject malicious payloads, achieving RCE via prototype pollution and command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 5.6.15 and < 6.6.1
No auth needed
Prerequisites: Network access to vulnerable Kibana instance · Python environment with requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by digipenguin · remote
https://gitlab.com/digipenguin/CVE-2019-7609

This repository contains a functional Python exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 6.6.1. The exploit leverages the Timelion API to inject malicious payloads, achieving RCE via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Network access to Kibana instance · Python environment
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by toxxxaka · poc
https://github.com/toxxxaka/CVE-2019-7609

This repository contains a functional Python exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 6.6.1. The exploit leverages the Timelion API to inject malicious payloads via prototype pollution, leading to arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Network access to the Kibana instance · Kibana version < 6.6.1
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec WORKING POC
by toxaker · remote
https://github.com/toxaker/CVE-2019-7609

This repository contains a functional Python exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 5.6.15 and < 6.6.1. The exploit leverages the Timelion API to inject malicious payloads, achieving RCE via prototype pollution and environment variable manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 5.6.15 and < 6.6.1
No auth needed
Prerequisites: Network access to the Kibana instance · Kibana version < 5.6.15 or < 6.6.1
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by aleister1102 · remote
https://github.com/aleister1102/kibana-prototype-pollusion

This repository contains a working proof-of-concept exploit for CVE-2019-7609, demonstrating prototype pollution in Kibana's Timelion visualizer leading to arbitrary code execution. The exploit leverages Node.js child process spawning with manipulated environment variables to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana versions before 5.6.15 and 6.6.1
Auth required
Prerequisites: Access to the Timelion application in Kibana
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by d0x-awrqxavc · poc
https://github.com/d0x-awrqxavc/CVE-2019-7609-KibanaRCE

This repository contains a functional Python 3 exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 5.6.15 and < 6.6.1. The exploit leverages the Timelion API to execute arbitrary commands via prototype pollution, resulting in a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 5.6.15 and < 6.6.1
No auth needed
Prerequisites: Network access to the Kibana instance · Python 3 environment
devstral-2 · analyzed Mar 21, 2026 Full analysis →
nomisec WORKING POC
by OliveiraaX · remote
https://github.com/OliveiraaX/CVE-2019-7609-KibanaRCE

This repository contains a Python 3-compatible exploit for CVE-2019-7609, a remote code execution vulnerability in Kibana versions < 6.6.1. The exploit leverages the Timelion API to inject malicious payloads and achieve reverse shell access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Network access to vulnerable Kibana instance · Python 3 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by wolf1892 · remote
https://github.com/wolf1892/CVE-2019-7609

This repository provides a Docker lab setup and payloads for exploiting CVE-2019-7609, a prototype pollution vulnerability in Kibana that leads to remote code execution via the Timelion visualizer.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Access to Kibana Timelion visualizer · Network connectivity to attacker-controlled server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/CaelumIsMe/CVE-2019-7069-POC

This repository contains a functional Python3 exploit for CVE-2019-7609, a prototype pollution vulnerability in Kibana < 6.6.1 that allows remote code execution. The exploit includes version detection, vulnerability verification, and an optional reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana < 6.6.1
No auth needed
Prerequisites: Network access to vulnerable Kibana instance · Python3 with requests and packaging libraries
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC MANUAL
by h00die, Michał Bentkowski, Gaetan Ferry · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb

This Metasploit module exploits a prototype pollution vulnerability in Kibana's Timelion visualizer (CVE-2019-7609) to achieve remote code execution. It injects malicious payloads via the Timelion API, leveraging environment variable manipulation to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kibana versions before 5.6.15 and 6.6.1
No auth needed
Prerequisites: Network access to Kibana instance · Timelion application access
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Kibana Timelion - Arbitrary Code Execution
CRITICALby dwisiswant0
Shodan: http.title:"kibana"
FOFA: title="kibana"

References (6)

Core 6

Scores

CVSS v3 10.0
EPSS 0.9443
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull docker.elastic.co/elasticsearch/elasticsearch:6.6.0
docker pull docker.elastic.co/kibana/kibana:6.5.4
docker pull elasticsearch:6.5.3
docker pull kibana:6.5.3
docker pull docker.elastic.co/elasticsearch/elasticsearch:6.5.4
+2 more images
+13 more repos

Details

CISA KEV 2022-01-10
VulnCheck KEV 2021-05-07
InTheWild.io 2022-01-10
ENISA EUVD EUVD-2019-17147
CWE
CWE-94
Status published
Products (3)
elastic/kibana < 5.6.15
redhat/openshift_container_platform 3.11
redhat/openshift_container_platform 4.1
Published Mar 25, 2019
KEV Added Jan 10, 2022
Tracked Since Feb 18, 2026