Description

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.

INFO

Published Date :

2026-04-08T16:43:30.788Z

Last Modified :

2026-04-09T14:26:20.085Z

Source :

elastic
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33460 vulnerability.

Vendors Products
Elastic
  • Kibana
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33460.

URL Resource
https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact