CVE-2026-49095
Analyzed Analyzed - Analysis Complete
Improper Input Validation in Kibana Fleet Agent Policy

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: Elastic

Description
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49095
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.16 (exc)
elastic kibana From 9.0.0 (inc) to 9.3.5 (exc)
elastic kibana From 9.4.0 (inc) to 9.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with Fleet management privileges to escalate their privileges by injecting values into the agent policy configuration, resulting in Elastic Agents receiving API keys with elevated Elasticsearch privileges. This can lead to unauthorized read and write access to sensitive Elasticsearch security indices.

Such unauthorized access to sensitive data could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information to ensure confidentiality and integrity.

Therefore, exploitation of this vulnerability may lead to non-compliance with these regulations due to improper access controls and potential exposure or modification of protected data.

Executive Summary

This vulnerability is an improper input validation issue in the Kibana Fleet agent policy management feature. It allows an authenticated user who has Fleet management privileges to manipulate the agent policy configuration by injecting values into a configuration override mechanism that is not properly validated.

As a result, an attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, which means they can gain unauthorized access beyond what is normally allowed for the Fleet management role.

Impact Analysis

This vulnerability can lead to privilege escalation, allowing an attacker to gain unauthorized read and write access to sensitive Elasticsearch security indices.

Such unauthorized access can compromise the confidentiality and integrity of sensitive data stored in Elasticsearch, potentially leading to data breaches or unauthorized modifications.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate CVE-2026-49095, you should upgrade Kibana Fleet to versions 8.19.16, 9.3.5, or 9.4.2 or later where the vulnerability is fixed.

If upgrading is not immediately possible, restrict the fleet-all privilege to limit the number of users who can exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart