CVE-2026-4498
published 2026-04-08CVE-2026-4498: Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch…
PriorityP347high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.30%
21.6th percentile
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 8.0.0 < 8.19.14 | 8.19.14 |
| elastic | kibana | 8.0.0 – 8.19.13 | — |
| elastic | kibana | >= 9.0.0 < 9.2.8 | 9.2.8 |
| elastic | kibana | >= 9.3.0 < 9.3.3 | 9.3.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Elastic Kibana up to 8.19.13 unnecessary privileges (Nessus ID 305938)
vuldb·2026-04-11·CVSS 7.7
CVE-2026-4498 [HIGH] Elastic Kibana up to 8.19.13 unnecessary privileges (Nessus ID 305938)
A vulnerability described as problematic has been identified in Elastic Kibana up to 8.19.13. Impacted is an unknown function. Executing a manipulation can lead to execution with unnecessary privileges.
The identification of this vulnerability is CVE-2026-4498. The attack may be launched remotely. There is no exploit available.
GHSA
GHSA-4c73-92cw-x6vq: Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elastics
ghsa_unreviewed·2026-04-08
CVE-2026-4498 [HIGH] CWE-250 GHSA-4c73-92cw-x6vq: Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elastics
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33461 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33461 [MEDIUM] CVE-2026-33461 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33461 :
Kibana vulnerability analysis and mitigation
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Source : NVD
## 7.7
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-4498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-4498 [MEDIUM] CVE-2026-4498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4498 :
Kibana vulnerability analysis and mitigation
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Source : NVD
## 7.7
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:elastic:kibana
Sources
NVD
Linux Severity HIGH No
Wiz
CVE-2026-33460 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33460 [MEDIUM] CVE-2026-33460 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33460 :
Kibana vulnerability analysis and mitigation
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Source : NVD
## 4.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2026-33458 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33458 [MEDIUM] CVE-2026-33458 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33458 :
Kibana vulnerability analysis and mitigation
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:elastic:kibana
Sources
NVD
Linux Severity MEDIUM No Fix Added at: Apr 09, 2026
Wind
Wiz
CVE-2026-33459 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33459 [MEDIUM] CVE-2026-33459 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33459 :
Kibana vulnerability analysis and mitigation
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Source : NVD
## 6.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Kibana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
2026-04-08
Published