CVE-2026-4498
Privilege Abuse in Kibana Fleet Plugin Allows Unauthorized Data Access
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 8.0.0 (inc) to 8.19.14 (exc) |
| elastic | kibana | From 9.0.0 (inc) to 9.2.8 (exc) |
| elastic | kibana | From 9.3.0 (inc) to 9.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4498 is a vulnerability in Kibana's Fleet plugin debug route handlers where these handlers execute with unnecessary privileges. This flaw allows an authenticated Kibana user who has Fleet sub-feature privileges (such as managing agents, agent policies, or settings) to read Elasticsearch index data beyond what their direct RBAC permissions allow.
The issue is classified as Execution with Unnecessary Privileges (CWE-250) and involves privilege abuse (CAPEC-122). It affects Kibana versions 8.0.0 through 8.19.13 and 9.0.0 through 9.2.7 and 9.3.0 through 9.3.2, with Fleet enabled by default.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated Kibana user with Fleet sub-feature privileges to read Elasticsearch index data beyond their authorized RBAC scope, resulting in a high confidentiality impact.
Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on data access and confidentiality.
Therefore, exploitation of this vulnerability could compromise compliance by exposing protected or regulated data to users without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive Elasticsearch index data by users who should not have such access, due to privilege escalation within Kibana's Fleet plugin.
The impact is primarily on confidentiality, as attackers can read data beyond their authorized scope. There is no impact on data integrity or system availability.
Because the vulnerability requires an authenticated user with Fleet privileges, the risk is higher if those privileges are widely granted or not properly restricted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by enabling Kibana audit logging and monitoring HTTP requests to specific Fleet debug routes.
Specifically, enable audit logging by setting the configuration option xpack.security.audit.enabled to true.
Once audit logging is enabled, monitor for HTTP requests to the following paths which indicate potential exploitation attempts:
- /internal/fleet/debug/index
- /internal/fleet/debug/saved_objects
Suggested commands include using tools like curl or network monitoring utilities to check for requests to these paths, or querying Kibana audit logs for entries containing these endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Kibana to a fixed version:
- Upgrade to Kibana 8.19.14, 9.2.8, or 9.3.3 or later.
If immediate upgrade is not possible, restrict Fleet privileges by reviewing and limiting custom roles that grant Fleet sub-feature privileges.
- Limit roles such as agents_all, agent_policies_all, and settings_all to trusted administrative users only.
Additionally, enable Kibana audit logging (xpack.security.audit.enabled: true) to detect and monitor any exploitation attempts.