Platform
nodejs
Component
kibana
Fixed in
9.3.3
9.2.8
8.19.14
CVE-2026-33460 describes an Information Disclosure vulnerability in Kibana. This flaw allows users with Fleet agent management privileges in one Kibana space to retrieve sensitive Fleet Server policy details from other spaces, bypassing space-scoped access controls. The vulnerability impacts Kibana versions 8.0.0 through 9.3.2 and has been resolved in version 9.3.3.
An attacker exploiting this vulnerability could gain unauthorized access to Fleet Server policy details, including operational identifiers, policy names, management state, and infrastructure linkage information from spaces where the user lacks proper authorization. This information could be used to map the Kibana environment, identify potential targets for further attacks, or exfiltrate sensitive data. While the vulnerability requires Fleet agent management privileges, the ability to bypass space-scoped access controls significantly expands the potential attack surface. The impact is particularly concerning in multi-tenant environments or where different spaces are used to isolate sensitive data.
CVE-2026-33460 was publicly disclosed on 2026-04-08. The vulnerability's impact is considered medium due to the requirement of Fleet agent management privileges, but the bypass of access controls raises concerns. No public proof-of-concept (POC) code has been released as of this writing. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33460 is to upgrade Kibana to version 9.3.3 or later, which contains the fix. If immediate upgrading is not possible, consider implementing stricter access controls within Kibana spaces to limit the scope of Fleet agent management privileges. Review existing Fleet Server policies to ensure they adhere to the principle of least privilege. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious requests targeting the internal enrollment endpoint and potentially block unauthorized access. After upgrading, confirm the fix by attempting to access Fleet Server policy details from a space where the user should not have access; the request should be denied.
Update Kibana to version 8.19.14, 9.2.8, or 9.3.3 or later to mitigate the vulnerability. This update corrects the incorrect authorization check that allows unauthorized access to Fleet Server policy details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33460 is a medium-severity vulnerability in Kibana allowing unauthorized access to Fleet Server policy details across spaces due to a bypass of access controls.
You are affected if you are running Kibana versions 8.0.0 through 9.3.2 and utilize Fleet management features.
Upgrade Kibana to version 9.3.3 or later to remediate the vulnerability. Consider stricter access controls as an interim measure.
There is no confirmed active exploitation of CVE-2026-33460 at this time, but the bypass of access controls warrants vigilance.
Refer to the Elastic security advisory for CVE-2026-33460 on the Elastic website: [https://www.elastic.co/security/advisories/CVE-2026-33460](https://www.elastic.co/security/advisories/CVE-2026-33460)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.