CVE-2026-4498 — Execution with Unnecessary Privileges in Kibana

CWE-250 — Execution with Unnecessary Privileges5 documents5 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 83.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedApr 8

Latest updateApr 11

Description

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶NVDelastic/kibana8.0.0 — 8.19.14+2

▶CVEListV5elastic/kibana8.0.0 — 8.19.13

🔴Vulnerability Details

VulDB

Elastic Kibana up to 8.19.13 unnecessary privileges (Nessus ID 305938)↗2026-04-11

▶

GHSA

GHSA-4c73-92cw-x6vq: Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elastics↗2026-04-08

▶

CVEList

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope↗2026-04-08

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4498 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶