Incorrect Authorization Vulnerability in Kibana by Elastic
CVE-2026-33461

7.7HIGH

Key Information:

Vendor

Elastic

Status
Vendor
CVE Published:
8 April 2026

What is CVE-2026-33461?

A vulnerability in Kibana allows users with limited Fleet privileges to exploit an internal API endpoint, leading to unintended disclosure of sensitive configuration data. This includes private keys and authentication tokens which should be secured for higher-level users. The flaw stems from inadequate authorization checks that fail to appropriately restrict access to full configuration objects, thus posing significant risks for data security and privacy.

Affected Version(s)

Kibana 9.3.0 <= 9.3.2

Kibana 9.0.0 <= 9.2.7

Kibana 8.0.0 <= 8.19.13

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.