Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21)

Announcements Security Announcements
1

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

Affected Versions:

  • 8.x: All versions from 8.0.0 up to and including 8.19.13
  • 9.x:
    • All versions from 9.0.0 up to and including 9.2.7
    • All versions from 9.3.0 up to and including 9.3.2

Affected Configurations:

  • Default State: Fleet is enabled by default in Kibana (xpack.fleet.agents.enabled defaults to true). The debug routes are registered as internal routes when Fleet is active.
  • Configuration Requirement: No non-default configuration is required. The vulnerable routes are available in any standard Kibana deployment with Fleet enabled.

Solutions and Mitigations:

The issue is resolved in version 8.19.14, 9.2.8, 9.3.3 .

For Users that Cannot Upgrade:

  • Restrict Fleet privileges: Review all custom roles that grant Fleet sub-feature privileges (agents_all, agent_policies_all, settings_all) and limit these to only trusted administrative users until a patch is applied. However, users should upgrade to the latest non-vulnerable version.

Indicators of Compromise (IOC)

If Kibana audit logging is enabled (xpack.security.audit.enabled: true), the following detection strategies can be used:

  • Search for requests to Fleet debug routes: Look for HTTP request audit events targeting paths matching /internal/fleet/debug/index or /internal/fleet/debug/saved_objects in Kibana audit logs.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: High ( 7.7 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE ID: CVE-2026-4498
Problem Type: CWE-250 - Execution with Unnecessary Privileges
Impact: CAPEC-122 - Privilege Abuse