Skip to main content

Elastic Defend CVE-2026-56152

| EUVDEUVD-2026-41087 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-01 security@elastic.co GHSA-vvj5-p4vc-v5q3
5.3
CVSS 3.1 · Vendor: elastic
Share

Severity by source

Vendor (elastic) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable via Kibana API, but AC:H reflects undisclosed prerequisite conditions; PR:L confirmed by description; confidentiality-only impact with no integrity or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (elastic).

CVSS VectorVendor: elastic

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 17:43 vuln.today

DescriptionCVE.org

Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.

AnalysisAI

Incorrect Authorization (CWE-863) in Elastic Defend exposes response action data to low-privileged authenticated users who should not have access to it. The flaw, classified under CAPEC-1, arises because access controls on specific functionality are not properly enforced, allowing a user with minimal privileges to read security response action data belonging to other users or roles. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Elastic credentials
Delivery
Authenticate to Kibana web interface
Exploit
Trigger specific undisclosed conditions (AC:H)
Execution
Query response action data API without proper authorization check
Impact
Exfiltrate sensitive endpoint response action results

Vulnerability AssessmentAI

Exploitation Exploitation requires a low-privileged, authenticated user account within the Elastic deployment (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 5.3 (Medium) is driven by AV:N (network reachable), PR:L (requires low-privileged account), AC:H (high complexity - 'under certain conditions'), and C:H (full confidentiality breach of response action data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or created a low-privileged authenticated Kibana account - whether through credential theft, phishing, or a compromised service account - navigates to the Elastic Security response actions interface or queries the relevant API endpoint under the specific undisclosed conditions that bypass authorization checks. The attacker reads response action results intended for higher-privileged security analysts, gaining visibility into which hosts were isolated, what processes were killed, or what forensic files were collected, effectively mapping the scope of an ongoing security investigation.
Remediation The primary remediation is to upgrade Elastic Defend to the fixed version(s) identified in Elastic Security Advisory ESA-2026-46, available at https://discuss.elastic.co/t/elastic-defend-8-19-13-9-2-7-9-3-2-security-update-esa-2026-46. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-0353 HIGH POC
7.8 Feb 15

Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete file

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2014-4973 MEDIUM POC
6.9 Sep 23

The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in

CVE-2016-9892 MEDIUM POC
5.9 Mar 02

The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.

CVE-2024-2224 CRITICAL
9.8 Apr 09

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer compone

CVE-2024-2223 CRITICAL
9.8 Apr 09

An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Ser

CVE-2022-27534 CRITICAL
9.8 Apr 01

Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March

CVE-2021-45090 CRITICAL
9.8 Dec 21

Stormshield Endpoint Security before 2.1.2 allows remote code execution. Rated critical severity (CVSS 9.8), this vulner

CVE-2016-3984 MEDIUM POC
5.1 Apr 08

The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.

CVE-2020-7332 HIGH
8.8 Nov 12

Cross Site Request Forgery vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0

CVE-2020-7319 HIGH
8.8 Sep 09

Improper Access Control vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Updat

Share

CVE-2026-56152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy