SB2026040923 - Multiple vulnerabilities in Kibana
Published: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Execution with unnecessary privileges (CVE-ID: CVE-2026-4498)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to execution with unnecessary privileges in Kibana Fleet plugin debug route handlers when handling requests to internal debug routes. A remote user can send requests to the debug routes to disclose sensitive information.
Exploitation requires Fleet to be enabled and the user to have Fleet sub-feature privileges such as agents, agent policies, or settings management.
2) Incorrect authorization (CVE-ID: CVE-2026-33461)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in an internal Fleet API endpoint when handling requests for configuration data. A remote user can send a request to retrieve sensitive configuration data to disclose sensitive information.
Exploitation requires Fleet to be enabled and the user to have Fleet Agents privilege without Fleet Settings privilege.
3) Incorrect authorization (CVE-ID: CVE-2026-33460)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the internal Fleet enrollment endpoint when handling requests for Fleet Server policy details across spaces. A remote user can send a crafted request to disclose sensitive information.
Exploitation requires Fleet to be enabled, Kibana Spaces to be in use, and the user to have Fleet agent management privileges in at least one space while Fleet Server policies exist in other spaces.
4) Resource exhaustion (CVE-ID: CVE-2026-33459)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the automatic import feature when handling specially crafted requests with excessively large input values. A remote user can submit concurrent crafted requests to cause a denial of service.
Only deployments with the automatic import plugin enabled are vulnerable.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33458)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in Kibana One Workflow Workflows Execution Engine when processing workflow HTTP steps that follow redirects. A remote user can send a specially crafted workflow to disclose sensitive information.
Exploitation requires workflow creation and execution privileges, and only deployments with the Workflows Execution Engine enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814
- https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815