CVE-2026-33460

MEDIUM

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Title source: cna

Description

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.

References (1)

https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

Elastic/Kibana 8.0.0 - 8.19.13

elastic/kibana 8.0.0 - 8.19.14

Elastic/Kibana 9.0.0 - 9.2.7

Elastic/Kibana 9.3.0 - 9.3.2

Published Apr 08, 2026

Tracked Since Apr 08, 2026