Skip to main content

Elastic CVE-2026-33461

| EUVDEUVD-2026-20525 HIGH
Incorrect Authorization (CWE-863)
2026-04-08 elastic GHSA-jf72-2wmj-p2f3
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 16:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 17:16 euvd
EUVD-2026-20525
Analysis Generated
Apr 08, 2026 - 17:16 vuln.today
CVE Published
Apr 08, 2026 - 16:41 nvd
HIGH 7.7

DescriptionCVE.org

Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.

AnalysisAI

Authorization bypass in Elastic Kibana allows authenticated users with limited Fleet privileges to retrieve sensitive configuration data including private keys and authentication tokens through an internal API endpoint. The vulnerability affects network-accessible instances and bypasses intended privilege boundaries by returning full configuration objects without proper authorization checks. CVSS score of 7.7 reflects high confidentiality impact with scope change. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.

Technical ContextAI

This vulnerability stems from an Incorrect Authorization weakness (CWE-863) in Kibana's Fleet management API implementation. The affected internal API endpoint fails to enforce proper authorization controls when composing responses, directly returning complete configuration objects that include sensitive data such as cryptographic private keys and authentication tokens. The flaw represents a classic privilege escalation scenario where the API trusts the caller's initial authentication but fails to verify sufficient authorization for the sensitive data being accessed. Unlike the dedicated settings APIs which properly enforce role-based access controls requiring higher-level settings privileges, this internal endpoint bypasses these checks entirely. The vulnerability exploits the common anti-pattern of fetching comprehensive data objects and returning them wholesale rather than filtering based on the caller's privilege level, enabling CAPEC-122 Privilege Abuse attacks where lower-privileged Fleet users can access data intended only for administrators or users with explicit settings management permissions.

RemediationAI

Upgrade to the vendor-released patched versions immediately: Kibana 8.19.14 for 8.x deployments, 9.2.8 for 9.2.x series, or 9.3.3 for 9.3.x series as specified in Elastic Security Advisory ESA-2026-24 available at https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812. The patches implement proper authorization checks on the internal API endpoint to enforce privilege boundaries consistent with dedicated settings APIs. As an interim mitigation for environments where immediate patching is not feasible, restrict network access to Kibana instances to trusted networks only and conduct an audit of Fleet privilege assignments to ensure least-privilege principles are enforced. Review access logs for suspicious API activity from users with Fleet privileges accessing configuration endpoints, particularly focusing on requests to internal API paths that return configuration data. Rotate any private keys and authentication tokens that may have been exposed if unauthorized access is suspected, and implement network segmentation to limit the scope of potential credential compromise.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-33461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy