CVE-2026-33460
Received Received - Intake
Incorrect Authorization in Kibana Enables Cross-Space Data Disclosure

Publication date: 2026-04-08

Last updated on: 2026-04-21

Assigner: Elastic

Description
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33460
EUVD
EUVD-2026-20523
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.14 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.8 (exc)
elastic kibana From 9.3.0 (inc) to 9.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33460 is an incorrect authorization vulnerability in Kibana that affects deployments using Kibana Spaces with Fleet enabled. It allows a user who has Fleet agent management privileges in one Kibana space to access Fleet Server policy details from other spaces where they should not have access.

This happens because an internal enrollment endpoint bypasses space-scoped access controls by using an unscoped internal client. As a result, sensitive information such as operational identifiers, policy names, management states, and infrastructure linkage details from unauthorized spaces can be retrieved.

Compliance Impact

This vulnerability leads to cross-space information disclosure by allowing a user with Fleet agent management privileges in one Kibana space to access Fleet Server policy details from other spaces without proper authorization.

Such unauthorized access to sensitive operational identifiers, policy names, management states, and infrastructure linkage details could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Organizations using affected Kibana versions should review and restrict Fleet role assignments to trusted users only, to mitigate risks of unauthorized data exposure and help maintain compliance with these standards.

Impact Analysis

The vulnerability can lead to cross-space information disclosure through privilege abuse. A user with Fleet agent management privileges in one space can gain unauthorized visibility into Fleet Server policies and related sensitive details in other spaces.

This exposure of sensitive operational data can compromise the confidentiality of your Fleet topology and management information, potentially aiding attackers in further exploitation or reconnaissance.

Indicators of compromise include unusual access patterns in Kibana audit logs, especially access to Fleet enrollment endpoints by users whose privileges are limited to specific spaces.

Detection Guidance

This vulnerability can be detected by monitoring Kibana audit logs for unusual access patterns, especially accesses to Fleet enrollment settings endpoints by users whose Fleet privileges are limited to specific spaces.

Such unusual access may indicate cross-space enumeration attempts exploiting the vulnerability.

While specific commands are not provided, reviewing Kibana audit logs for these access patterns is recommended.

Mitigation Strategies

Immediate mitigation steps include reviewing Fleet role assignments across Kibana spaces to ensure that only trusted users have Fleet agent management privileges.

Restrict Fleet agent privileges to trusted users to prevent unauthorized visibility into Fleet topology across spaces.

Upgrading Kibana to versions 8.19.14, 9.2.8, or 9.3.3 where the issue is resolved is the recommended long-term solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart