CVE-2026-33460

EPSS 0.03%
Veröffentlicht 08.04.2026 16:43:30
Zuletzt bearbeitet 21.04.2026 17:51:24
Quelle security@elastic.co
CVE-Watchlists
Login
Unerledigt
Login

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Elastic ≫ Kibana Version >= 8.0.0 < 8.19.14

Elastic ≫ Kibana Version >= 9.0.0 < 9.2.8

Elastic ≫ Kibana Version >= 9.3.0 < 9.3.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.072

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@elastic.co	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-33460

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33460

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33460

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33460