CVE-2026-4498

HIGH7.7EPSS 0.06%

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope

Published: 4/13/2026Modified: 4/13/2026

Also known as:BIT-elk-2026-4498BIT-kibana-2026-4498

Description

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

Affected packages (2)

Bitnami/elk>= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
Bitnami/kibana>= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (2)

WEBhttps://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-4498