Description
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Published: 2026-04-08
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Information disclosure of sensitive configuration data, including private keys and authentication tokens
Action: Apply Patch
AI Analysis

Impact

Elastic Kibana’s Fleet feature contains an incorrect authorization check that allows users with limited Fleet privileges to call an internal API endpoint and retrieve full configuration objects. The response includes private keys and authentication tokens that should only be accessible to users with higher‑level settings privileges, thereby exposing critical credentials.

Affected Systems

The vulnerability impacts Elastic Kibana installations that provide Fleet functionality. No specific version numbers are listed in the CVE data, so any deployment of Kibana with Fleet enabled could be at risk until an official patch is applied.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who are authenticated with limited Fleet rights can exploit an internal API call that bypasses the proper authorization checks. This can lead to the disclosure of sensitive configuration data, potentially compromising credentials and enabling further exploitation of the underlying infrastructure. The likely attack vector is an internal API accessed by an authenticated user, as inferred from the description.

Generated by OpenCVE AI on April 8, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current Kibana version and confirm that Fleet is enabled
  • Download and apply the latest Kibana security update that addresses incorrect authorization in the Fleet API
  • Restart Kibana to ensure the patch takes effect
  • Rotate any exposed authentication tokens and private keys that may have been retrieved during the vulnerability

Generated by OpenCVE AI on April 8, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Title Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-08T16:41:27.335Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T17:21:19.153

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:04Z

Weaknesses