Description
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is an incorrect authorization flaw in Kibana Fleet that allows a user with Fleet agent management privileges in one space to read policy details from other spaces. By accessing an internal enrollment endpoint that bypasses space-scoped controls, an attacker can obtain operational identifiers, policy names, management state, and infrastructure linkage information for spaces to which the user is not normally authorized. This flaw is a classic instance of CWE‑863 – Incorrect Authorization.

Affected Systems

The issue affects the Elastic Kibana product. Specific versions are not listed in the advisory, so all versions that implement the Fleet enrollment endpoint could potentially be susceptible. Users should verify whether their Kibana deployment matches the affected architecture and review the related Elastic security update notice for precise version details.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not cataloged by CISA in the KEV list. Exploitation requires a user with Fleet agent management privileges, so an attacker must first obtain or compromise a privileged account. Once they have that capability, they can directly query the internal endpoint to leak policy data across spaces. Because the data revealed is limited to policy and infrastructure metadata, the impact is mainly confidentiality loss for organizational operational details, but it does not enable direct code execution or system compromise.

Generated by OpenCVE AI on April 8, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana release that includes the fix for CVE‑2026‑33460.
  • Ensure that only the minimal set of users have Fleet agent management rights and that those rights are scoped to appropriate spaces.
  • Audit and restrict internal API endpoints, ensuring that clients used by the enrollment endpoint are space-scoped.
  • Monitor Kibana logs for unexpected enrollment API calls made by privileged accounts across different spaces.
  • Regularly review Elastic’s security advisories and apply patches promptly to avoid future exposure.

Generated by OpenCVE AI on April 8, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Title Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-09T14:26:20.085Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33460

cve-icon Vulnrichment

Updated: 2026-04-09T14:26:16.345Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T17:21:18.930

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:02Z

Weaknesses