CVE-2026-4498

HIGH7.7EPSS 0.06%

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope

發布日:2026/4/13修改日:2026/4/13

描述

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

受影響套件(2)

Bitnami/elk>= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
Bitnami/kibana>= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

參考連結(2)

WEBhttps://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-4498