Main Vulnerability Database Vulnerabilities #VU132757

Input validation error in Kibana - CVE-2026-49095

Published: May 29, 2026

Vulnerability identifier: #VU132757

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-49095

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Elastic Stack

Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper input validation in the Kibana Fleet agent policy management feature when processing configuration overrides. A remote privileged user can inject values into the configuration override mechanism to escalate privileges.

Only deployments with the Fleet feature enabled where users have been granted the Fleet management application privilege are affected.

How to mitigate CVE-2026-49095

Install security update from vendor's website.

Sources

https://discuss.elastic.co/t/kibana-fleet-8-19-16-9-3-5-and-9-4-2-security-update-esa-2026-38/386559

Input validation error in Kibana - CVE-2026-49095

Detailed vulnerability description

How to mitigate CVE-2026-49095

Sources

Please verify you're human