Description
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Published: 2026-04-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Exposure
Action: Apply Patch
AI Analysis

Impact

Kibana’s Fleet plugin debug route handlers allow an authenticated user with Fleet sub‑feature privileges to read Elasticsearch indices beyond the permissions granted by standard RBAC. Because the code executes with unnecessary privileges, the user can obtain data that should be restricted, potentially exposing sensitive information.

Affected Systems

The vulnerability affects Elastic Kibana across all deployed instances that use the Fleet plugin. Specific affected versions are not listed, but the advisory references versions 8.19.14, 9.2.8, and 9.3.3 as patched releases.

Risk and Exploitability

The CVSS severity score of 7.7 indicates a high impact, while the lack of an EPSS score means no current exploitation probability data is available. The issue is not in CISA’s KEV catalog. Exploitation requires only an authenticated session with Fleet privileges; no special network access is needed beyond standard Kibana access. The added privilege can lead to unauthorized disclosure of index data.

Generated by OpenCVE AI on April 8, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kibana to a patched release (e.g., 8.19.14, 9.2.8, or 9.3.3) as specified by Elastic's security advisory.
  • Limit Fleet sub‑feature privileges so that only trusted users can access Agent, Agent Policies, and Settings management.
  • Verify that Elasticsearch RBAC settings do not grant unnecessary index read permissions to Kibana roles.

Generated by OpenCVE AI on April 8, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
Title Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Weaknesses CWE-250
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-09T14:27:38.420Z

Reserved: 2026-03-20T10:53:18.459Z

Link: CVE-2026-4498

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T17:21:24.300

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-4498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:05Z

Weaknesses