SB2026040923 - Multiple vulnerabilities in Kibana
Published: April 9, 2026 Updated: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Execution with unnecessary privileges (CVE-ID: CVE-2026-4498)
CWE-ID: CWE-250 - Execution with Unnecessary Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to execution with unnecessary privileges in Kibana Fleet plugin debug route handlers when handling requests to internal debug routes. A remote user can send requests to the debug routes to disclose sensitive information.
Exploitation requires Fleet to be enabled and the user to have Fleet sub-feature privileges such as agents, agent policies, or settings management.
2) Incorrect authorization (CVE-ID: CVE-2026-33461)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in an internal Fleet API endpoint when handling requests for configuration data. A remote user can send a request to retrieve sensitive configuration data to disclose sensitive information.
Exploitation requires Fleet to be enabled and the user to have Fleet Agents privilege without Fleet Settings privilege.
3) Incorrect authorization (CVE-ID: CVE-2026-33460)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the internal Fleet enrollment endpoint when handling requests for Fleet Server policy details across spaces. A remote user can send a crafted request to disclose sensitive information.
Exploitation requires Fleet to be enabled, Kibana Spaces to be in use, and the user to have Fleet agent management privileges in at least one space while Fleet Server policies exist in other spaces.
4) Resource exhaustion (CVE-ID: CVE-2026-33459)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the automatic import feature when handling specially crafted requests with excessively large input values. A remote user can submit concurrent crafted requests to cause a denial of service.
Only deployments with the automatic import plugin enabled are vulnerable.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33458)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in Kibana One Workflow Workflows Execution Engine when processing workflow HTTP steps that follow redirects. A remote user can send a specially crafted workflow to disclose sensitive information.
Exploitation requires workflow creation and execution privileges, and only deployments with the Workflows Execution Engine enabled are vulnerable.
6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-42398)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access unauthorized network destinations.
The vulnerability exists due to server-side request forgery in Webhook connector handling when configuring a crafted target. A remote user can configure a Webhook connector with a crafted target to access unauthorized network destinations.
Only deployments where the xpack.actions.allowedHosts setting is configured to restrict outbound connector connections are affected.
Remediation
Install update from vendor's website.
References
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814
- https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815
- https://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-security-update-esa-2026-37/386557