CVE-2026-49095
published 2026-05-28CVE-2026-49095: Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet…
PriorityP340medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
0.26%
17.5th percentile
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 8.0.0 < 8.19.16 | 8.19.16 |
| elastic | kibana | 8.0.0 – 8.19.15 | — |
| elastic | kibana | >= 9.0.0 < 9.3.5 | 9.3.5 |
| elastic | kibana | 9.0.0 – 9.3.4 | — |
| elastic | kibana | >= 9.4.0 < 9.4.2 | 9.4.2 |
| elastic | kibana | 9.4.0 – 9.4.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p9vc-h7rw-q6hq: Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation
ghsa_unreviewed·2026-05-28
CVE-2026-49095 [MEDIUM] CWE-20 GHSA-p9vc-h7rw-q6hq: Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
VulDB
Elastic Kibana up to 8.19.15/9.3.4/9.4.1 Configuration input validation (EUVD-2026-33033)
vuldb·2026-05-28·CVSS 6.5
CVE-2026-49095 [MEDIUM] Elastic Kibana up to 8.19.15/9.3.4/9.4.1 Configuration input validation (EUVD-2026-33033)
A vulnerability was found in Elastic Kibana up to 8.19.15/9.3.4/9.4.1 and classified as problematic. The affected element is an unknown function of the component Configuration Handler. Such manipulation leads to improper input validation.
This vulnerability is traded as CVE-2026-49095. The attack may be launched remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published