Skip to content
PortsDB

Port reference

Port 5601 (TCP) – Kibana

Default port for Kibana, the web UI for visualizing and managing Elasticsearch data.

tcpRegisteredCommonly attacked

Default state

Kibana often binds to 0.0.0.0 with no authentication unless the Elastic security stack is configured, exposing dashboards and the underlying Elasticsearch data to anyone reaching 5601.

Common attacks

  • Unauthenticated access to dashboards exposing sensitive Elasticsearch data
  • CVE-2019-7609 Timelion prototype-pollution remote code execution
  • Pivoting into the backing Elasticsearch cluster on 9200
  • Information disclosure of logs, metrics, and indexed records

CVE-2019-7609

Hardening

  • Bind to localhost or a private interface (server.host); never expose 5601 to the internet
  • Enable Elastic Stack security (authentication and RBAC)
  • Require TLS and put a reverse proxy with auth in front for remote access
  • Firewall 5601 to trusted hosts and segment from Elasticsearch
  • Keep Kibana and Elasticsearch patched

nmap snippet

nmap -p5601 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5601?

Port 5601 is the default for Kibana, the web interface for the Elastic Stack used to search, visualize, and manage data stored in Elasticsearch. Operators open dashboards in a browser over 5601, and Kibana queries the backing Elasticsearch cluster (HTTP API on 9200) on their behalf.

Why it matters for security

Kibana is a direct window into Elasticsearch. Unless the Elastic security features are configured, it often binds to 0.0.0.0 with no authentication, so anyone reaching 5601 can browse dashboards and the underlying logs, metrics, and records. Kibana has also carried serious code-execution bugs such as CVE-2019-7609, the Timelion prototype-pollution RCE, making exposure especially dangerous.

How it's attacked

Attackers scan for open 5601 and load dashboards without credentials to exfiltrate sensitive data and learn the environment. They use the UI and its console to pivot into Elasticsearch on 9200, and against unpatched versions they exploit Timelion RCE (CVE-2019-7609) to run code on the Kibana host, turning a dashboard into a foothold.

Hardening checklist

Bind Kibana to localhost or a private interface via server.host and keep 5601 off the public internet. Enable Elastic Stack security (authentication and RBAC), require TLS, and front remote access with an authenticating reverse proxy. Firewall 5601 to trusted hosts, segment it from the Elasticsearch cluster, and keep both patched. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.

Related ports

Port 9200Port 9300Port 9092Port 443

Frequently asked questions

Is it safe to expose Kibana on port 5601?
No. Without the Elastic security stack, Kibana has no authentication and exposes all backing Elasticsearch data. Bind to localhost, enable authentication and TLS, and firewall the port.
What was the Kibana Timelion RCE?
CVE-2019-7609 was a prototype-pollution flaw in the Timelion visualizer that let an attacker run arbitrary code on the Kibana host. Patch Kibana and restrict access to 5601.