CVE-2026-4498

7.7 HIGH

Published: April 08, 2026 Modified: April 08, 2026

Description

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811

Source: security@elastic.co

1 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.7 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-250

Related CVEs

CVE-2026-4837 6.6

CVE-2026-33461 7.7

CVE-2026-33460 4.3

CVE-2026-31017 N/A

CVE-2026-30080 N/A