Description
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
Published: 2026-05-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in the Kibana Fleet agent policy management feature allows an authenticated user with Fleet management privileges to craft malicious configuration overrides. By injecting unvalidated values, the attacker can have Elastic Agents receive API keys that carry elevated privileges. These keys can grant unauthorized read and write access to sensitive Elasticsearch security indices, effectively raising the attacker's access level beyond the intended Fleet role.

Affected Systems

The vulnerability affects Elastic Kibana deployments that use the Fleet agent management feature. The CVE description does not specify particular Kibana or Fleet versions, so any environment running Kibana with Fleet enabled and where the agent policy configuration overrides are accessible should be evaluated for this flaw.

Risk and Exploitability

With a CVSS score of 7.2, the flaw presents a high risk to confidentiality, integrity, and availability of the Elasticsearch data store. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the attack requires an authenticated user with Fleet management rights. An attacker controlling such a role can inject policy overrides to issue privileged API keys, giving unrestricted access to security indices. Therefore, the vulnerability is practically exploitable in environments where the Fleet feature is enabled and users are granted fleet management privileges.

Generated by OpenCVE AI on May 28, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kibana to the latest released version that contains the fix for the Fleet policy input validation issue, as detailed in Elastic's security update announcement.
  • Restrict the use of the configuration override feature to a minimum set of trusted users and remove any override capabilities from users without a strict need for them.
  • Revoke or reduce Fleet management privileges for users who do not require them, and enforce least privilege by creating dedicated roles with only the necessary permissions.

Generated by OpenCVE AI on May 28, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
Title Improper Input Validation in Kibana Fleet Leading to Privilege Escalation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-05-30T03:57:26.877Z

Reserved: 2026-05-27T11:31:33.582Z

Link: CVE-2026-49095

cve-icon Vulnrichment

Updated: 2026-05-29T16:21:32.336Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:34.660

Modified: 2026-06-01T13:30:50.997

Link: CVE-2026-49095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses
  • CWE-20

    Improper Input Validation