Skip to main content

Elastic EUVDEUVD-2026-20528

| CVE-2026-4498 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-04-08 elastic GHSA-4c73-92cw-x6vq
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 17:16 euvd
EUVD-2026-20528
Analysis Generated
Apr 08, 2026 - 17:16 vuln.today
CVE Published
Apr 08, 2026 - 16:38 nvd
HIGH 7.7

DescriptionCVE.org

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

AnalysisAI

Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.

Technical ContextAI

Kibana's Fleet plugin provides centralized management for Elastic Agents, including agent enrollment, policy distribution, and monitoring capabilities. The vulnerability stems from debug route handlers executing with excessive privileges (CWE-250), failing to enforce proper Elasticsearch Role-Based Access Control (RBAC) boundaries. These debug endpoints allow authenticated users with Fleet sub-feature permissions to query Elasticsearch indices that should be restricted by their assigned roles. The CAPEC-122 privilege abuse pattern indicates attackers leverage legitimate Fleet management credentials to access data stores outside their intended authorization scope. The affected component is cpe:2.3:a:elastic:kibana, specifically the Fleet plugin's debug routing layer which interfaces directly with Elasticsearch backend without adequate privilege containment.

RemediationAI

Upgrade to patched Kibana versions immediately: version 8.19.14 for 8.x deployments, version 9.2.8 for 9.2.x deployments, or version 9.3.3 for 9.3.x deployments as documented in Elastic Security Advisory ESA-2026-21 available at https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811. As an interim mitigation before patching, organizations should review and restrict Fleet sub-feature privileges to only essential personnel, audit existing users with agents, agent policies, and settings management permissions, and monitor Kibana audit logs for unexpected access to debug route endpoints. Consider temporarily disabling Fleet plugin debug routes if operationally feasible until patches can be deployed. Validate Elasticsearch RBAC policies are properly configured to minimize potential data exposure even in privilege escalation scenarios.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

EUVD-2026-20528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy