Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.13
- 9.x:
- All versions from 9.0.0 up to and including 9.2.7
- All versions from 9.3.0 up to and including 9.3.2
Affected Configurations:
Deployments using Kibana Spaces with Fleet enabled are affected. Exploitation requires that a user has been assigned Fleet agent management privileges in at least one space, while Fleet Server policies exist in other spaces.
Solutions and Mitigations:
The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3.
For Users that Cannot Upgrade:
Review Fleet role assignments across spaces and ensure users with Fleet agent privileges are trusted with visibility into Fleet topology across all spaces, or restrict Fleet privileges to trusted users only.
Indicators of Compromise (IOC)
Review Kibana audit logs for access to Fleet enrollment settings endpoints. Unusual access patterns from users with Fleet agent privileges limited to specific spaces may indicate cross-space enumeration attempts.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 4.3 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2026-33460
Problem Type: CWE-863 - Incorrect Authorization
Impact: CAPEC-122 - Privilege Abuse