Incorrect Authorization Vulnerability in Kibana by Elastic
CVE-2026-33461
7.7HIGH
What is CVE-2026-33461?
A vulnerability in Kibana allows users with limited Fleet privileges to exploit an internal API endpoint, leading to unintended disclosure of sensitive configuration data. This includes private keys and authentication tokens which should be secured for higher-level users. The flaw stems from inadequate authorization checks that fail to appropriately restrict access to full configuration objects, thus posing significant risks for data security and privacy.
Affected Version(s)
Kibana 9.3.0 <= 9.3.2
Kibana 9.0.0 <= 9.2.7
Kibana 8.0.0 <= 8.19.13