Platform
nodejs
Component
kibana
Fixed in
9.3.3
9.2.8
8.19.14
CVE-2026-33461 represents an Information Disclosure vulnerability within Kibana, stemming from incorrect authorization handling. This flaw allows users with limited Fleet privileges to exploit an internal API endpoint and retrieve sensitive configuration data, including private keys and authentication tokens, that should be restricted to users with higher privileges. The vulnerability impacts Kibana versions 8.0.0 through 9.3.2, and a patch is available in version 9.3.3.
CVE-2026-33461 affects Kibana, leading to sensitive information disclosure due to incorrect authorization. A user with limited Fleet privileges can exploit an internal API endpoint to access confidential configuration data, including private keys and authentication tokens. This occurs because the API doesn't adequately verify permissions, allowing users with insufficient privileges to obtain information that should only be accessible to administrators with higher-level settings privileges. The potential impact is severe, as exposure of these credentials could compromise the security of the entire Elasticsearch and Kibana infrastructure, enabling unauthorized access to sensitive data and malicious actions.
The vulnerability is exploited through an internal Kibana API that doesn't properly verify permissions. A user with limited Fleet privileges can send a request to this API to obtain configuration data. Due to the lack of proper authorization, the API returns the full configuration, including sensitive information such as private keys and authentication tokens. Exploitation doesn't require complex authentication, only a user with limited access to Fleet. The ease of exploitation and potential impact make this vulnerability a significant concern for organizations using Kibana.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The solution to mitigate CVE-2026-33461 is to update Kibana to version 9.3.3 or later. This update corrects the vulnerability by implementing stricter authorization controls on the affected internal API. It is recommended to apply this update as soon as possible, especially in production environments. Additionally, review Fleet user privileges to ensure they only have access to necessary resources. Monitoring Kibana logs for suspicious activity related to the internal API can help detect and respond to potential exploitation attempts. Finally, implementing the principle of least privilege across all user roles is a good general security practice.
Update Kibana to version 8.19.14, 9.2.8, or 9.3.3 or later to mitigate the vulnerability. This update corrects the incorrect authorization in the Fleet internal API, preventing sensitive information disclosure.
Vulnerability analysis and critical alerts directly to your inbox.
Kibana is a data visualization tool used with Elasticsearch. It allows users to explore and analyze data interactively.
CVE-2026-33461 is a unique identifier for a specific security vulnerability in Kibana.
If you are using a version prior to 9.3.3, you should update to the latest version as soon as possible to mitigate the vulnerability.
Check the version of Kibana you are using. If it is prior to 9.3.3, it is vulnerable.
In addition to updating, review Fleet user privileges and monitor Kibana logs for suspicious activity.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.