Elastic Defend 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-46)

Incorrect Authorization in Elastic Defend Leading to Information Disclosure

Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.

Affected Versions:

  • 8.x: All versions from 8.6.0 up to and including 8.19.12
  • 9.x:
    • All versions from 9.0.0 up to and including 9.2.6
    • All versions from 9.3.0 up to and including 9.3.1
    • (9.4.0 and later not affected)

Affected Configurations:

  • Affects deployments that use Elastic Defend response actions.

Solutions and Mitigations:

The issue is resolved in version 8.19.13, 9.2.7, and 9.3.2.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 5.3 ) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2026-56152
Problem Type: CWE-863 - Incorrect Authorization
Impact: CAPEC-1 - Accessing Functionality Not Properly Constrained by ACLs