CVE-2026-33461
Incorrect Authorization in Kibana Fleet API Exposes Sensitive Data
Publication date: 2026-04-08
Last updated on: 2026-04-22
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 8.0.0 (inc) to 8.19.14 (exc) |
| elastic | kibana | From 9.0.0 (inc) to 9.2.8 (exc) |
| elastic | kibana | From 9.3.0 (inc) to 9.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33461 is an incorrect authorization vulnerability in Kibana that affects users with limited Fleet privileges. It allows such users to exploit an internal API endpoint that bypasses normal authorization checks, enabling them to retrieve sensitive configuration data.
This sensitive data includes private keys and authentication tokens that should only be accessible to users with higher-level Fleet settings privileges. The vulnerability arises because the endpoint returns full configuration objects directly without enforcing the proper authorization controls.
Exploitation requires that a user has been explicitly assigned Fleet agent management privileges, which are not granted by default.
How can this vulnerability impact me? :
This vulnerability can lead to significant information disclosure by allowing users with limited privileges to access sensitive configuration data such as private keys and authentication tokens.
Such exposure can compromise the security of the affected system by enabling unauthorized access or misuse of credentials, potentially leading to further attacks or unauthorized actions within the environment.
The vulnerability has a high severity rating with a CVSS v3.1 base score of 7.7, indicating a serious risk if exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring audit log entries for suspicious access patterns. Specifically, look for audit logs showing access to Fleet enrollment settings endpoints by users who do not have Fleet settings privileges, as this indicates possible exploitation.
While specific commands are not provided, you should review your Kibana audit logs for unauthorized access attempts to Fleet agent management or enrollment settings endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Kibana to versions 8.19.14, 9.2.8, or 9.3.3 where the vulnerability is fixed.
If upgrading immediately is not possible, restrict Fleet role assignments to trusted users only or remove Fleet agent privileges from untrusted users.
Additionally, rotate any potentially exposed proxy credentials to prevent misuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with limited Fleet privileges to access sensitive configuration data, including private keys and authentication tokens, which should be restricted to higher-privileged users. Such unauthorized disclosure of sensitive information can lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and require protection against unauthorized disclosure.
Organizations using affected Kibana versions should consider this vulnerability a risk to confidentiality requirements under these regulations and take immediate remediation steps such as upgrading Kibana, restricting Fleet role assignments, and rotating any potentially exposed credentials to maintain compliance.