CVE-2026-33461
published 2026-04-08CVE-2026-33461: Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.28%
19.9th percentile
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 8.0.0 < 8.19.14 | 8.19.14 |
| elastic | kibana | 8.0.0 – 8.19.13 | — |
| elastic | kibana | >= 9.0.0 < 9.2.8 | 9.2.8 |
| elastic | kibana | 9.0.0 – 9.2.7 | — |
| elastic | kibana | >= 9.3.0 < 9.3.3 | 9.3.3 |
| elastic | kibana | 9.3.0 – 9.3.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Elastic Kibana up to 8.19.13/9.2.7/9.3.2 Internal API Endpoint authorization (Nessus ID 305938)
vuldb·2026-04-11·CVSS 7.7
CVE-2026-33461 [HIGH] Elastic Kibana up to 8.19.13/9.2.7/9.3.2 Internal API Endpoint authorization (Nessus ID 305938)
A vulnerability was found in Elastic Kibana up to 8.19.13/9.2.7/9.3.2. It has been declared as problematic. Affected is an unknown function of the component Internal API Endpoint. Executing a manipulation can lead to incorrect authorization.
This vulnerability appears as CVE-2026-33461. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-jf72-2wmj-p2f3: Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122)
ghsa_unreviewed·2026-04-08
CVE-2026-33461 [HIGH] CWE-863 GHSA-jf72-2wmj-p2f3: Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122)
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33461 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33461 [MEDIUM] CVE-2026-33461 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33461 :
Kibana vulnerability analysis and mitigation
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Source : NVD
## 7.7
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-4498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-4498 [MEDIUM] CVE-2026-4498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4498 :
Kibana vulnerability analysis and mitigation
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Source : NVD
## 7.7
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:elastic:kibana
Sources
NVD
Linux Severity HIGH No
Wiz
CVE-2026-33460 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33460 [MEDIUM] CVE-2026-33460 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33460 :
Kibana vulnerability analysis and mitigation
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Source : NVD
## 4.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2026-33458 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33458 [MEDIUM] CVE-2026-33458 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33458 :
Kibana vulnerability analysis and mitigation
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:elastic:kibana
Sources
NVD
Linux Severity MEDIUM No Fix Added at: Apr 09, 2026
Wind
Wiz
CVE-2026-33459 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33459 [MEDIUM] CVE-2026-33459 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33459 :
Kibana vulnerability analysis and mitigation
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Source : NVD
## 6.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
2026-04-08
Published