CVE-2026-26939

MEDIUM

Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration

Title source: cna

Description

Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.

References (1)

Core 1

Core References

https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (5)

elastic/kibana 9.3.0

Elastic/Kibana 8.0.0 - 8.19.11

elastic/kibana 8.0.0 - 8.19.12

Elastic/Kibana 9.0.0 - 9.2.5

Elastic/Kibana 9.3.0

Published Mar 19, 2026

Tracked Since Mar 19, 2026