Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24)

ismisepaul · April 8, 2026, 4:18pm

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.

Affected Versions:

8.x: All versions from 8.0.0 up to and including 8.19.13
9.x:
- All versions from 9.0.0 up to and including 9.2.7
- All versions from 9.3.0 up to and including 9.3.2

Affected Configurations:

Deployments with Fleet enabled where users have been granted the Fleet Agents privilege without the Fleet Settings. Fleet is available by default in Kibana, but exploitation requires that a user has been explicitly assigned Fleet agent management privileges.

Solutions and Mitigations:

The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3.

For Users that Cannot Upgrade:

Review Fleet role assignments and ensure users with Fleet agent privileges are trusted with access to Fleet configuration data, or remove Fleet agent privileges from untrusted users until the upgrade can be applied.
Rotate any proxy credentials (private keys, authentication tokens) that may have been exposed through the affected endpoint.

Indicators of Compromise (IOC)

Review Kibana audit logs for access to Fleet enrollment settings endpoints by users who do not have Fleet settings privileges. Unexpected access patterns from users with only Fleet agent privileges may indicate exploitation.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: High ( 7.7 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE ID: CVE-2026-33461
Problem Type: CWE-863 - Incorrect Authorization
Impact: CAPEC-122 - Privilege Abuse

Topic	Replies	Views
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25) Security Announcements	47	April 8, 2026
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21) Security Announcements	61	April 8, 2026
Kibana 8.15.0 Security Update (ESA-2024-29, ESA-2024-30) Security Announcements	2628	January 22, 2025
Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-19) Security Announcements	654	March 19, 2026
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38) Security Announcements	948	December 18, 2025

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24)

Related topics