Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration
Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.11
- 9.x:
- All versions from 9.0.0 up to and including 9.2.5
- Version 9.3.0
Affected Configurations:
- Automated response actions require the appropriate Elastic Stack subscription or Serverless project feature tier, and hosts must have Elastic Agent installed with the Elastic Defend integration.
- Automated response actions are not enabled by default on detection rules. A user must explicitly configure them. However, the Elastic Defend feature privileges (Host Isolation, Process Operations) are set to None by default for new roles, meaning most users should not have these privileges unless explicitly granted. The vulnerability allows users without these privileges to bypass the restriction.
- The Update API is only vulnerable when response actions are being added to an existing rule that does not already have any response actions. If the rule already contains response actions, the existing authorization logic was applied.
Solutions and Mitigations:
The issue is resolved in version 8.19.12, 9.2.6, 9.3.1.
For Users that Cannot Upgrade:
Update to the patched version as soon as possible. In the interim, restrict detection rule management privileges to users who are also authorized for endpoint response actions. Review existing rules for any unauthorized response action configurations that may have been added.
Indicators of Compromise (IOC)
Audit all detection rules for response_actions configurations containing .endpoint action types (isolate, kill-process, suspend-process) that may have been added by unauthorized users.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE ID: CVE-2026-26939
Problem Type: CWE-862 - Missing Authorization
Impact: Accessing Functionality Not Properly Constrained by ACLs - CAPEC-1