CVE-2026-33460Incorrect Authorization in Kibana

CWE-863Incorrect Authorization5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 92.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedApr 8
Latest updateApr 11

Description

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the use

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5elastic/kibana9.3.09.3.2+2

🔴Vulnerability Details

3
VulDB
Elastic Kibana up to 8.19.13/9.2.7/9.3.2 Internal Enrollment Endpoint authorization (Nessus ID 305938)2026-04-11
GHSA
GHSA-998c-7hf5-g249: Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122)2026-04-08
CVEList
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure2026-04-08

🕵️Threat Intelligence

1
Wiz
CVE-2026-33460 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33460 — Incorrect Authorization in Elastic | cvebase