cbcvebase.
CVE-2026-49095
published 2026-05-28

CVE-2026-49095: Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet…

PriorityP340medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
0.26%
17.5th percentile
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.

Affected

6 ranges
VendorProductVersion rangeFixed in
elastickibana>= 8.0.0 < 8.19.168.19.16
elastickibana8.0.0 – 8.19.15
elastickibana>= 9.0.0 < 9.3.59.3.5
elastickibana9.0.0 – 9.3.4
elastickibana>= 9.4.0 < 9.4.29.4.2
elastickibana9.4.0 – 9.4.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.