Platform
nodejs
Component
kibana
Fixed in
8.19.14
CVE-2026-4498 is a privilege abuse vulnerability affecting Kibana's Fleet plugin. An authenticated Kibana user possessing Fleet sub-feature privileges can exploit this flaw to read Elasticsearch index data beyond their intended access scope, potentially exposing sensitive information. This vulnerability impacts Kibana versions 8.0.0 through 8.19.13 and has been resolved in version 8.19.14.
This vulnerability allows an attacker with sufficient privileges within Kibana to bypass Elasticsearch's Role-Based Access Control (RBAC) and access data they should not be authorized to view. The attacker needs to be an authenticated Kibana user with Fleet privileges, such as those managing agents, agent policies, or settings. Successful exploitation could lead to unauthorized access to sensitive data stored within Elasticsearch indices, potentially including personally identifiable information (PII), financial records, or other confidential data. The blast radius depends on the scope of the Elasticsearch indices accessible by the privileged Kibana user; a user with broad Fleet privileges could potentially access a significant portion of the Elasticsearch cluster's data.
CVE-2026-4498 was publicly disclosed on 2026-04-08. Its CVSS score of 7.7 (HIGH) indicates a significant potential for exploitation. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the privilege escalation nature of the vulnerability and the potential for data exfiltration, it is reasonable to expect that attackers may attempt to exploit it.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4498 is to upgrade Kibana to version 8.19.14 or later. If upgrading immediately is not feasible, consider restricting Fleet privileges to the minimum necessary for users. Review and tighten Elasticsearch RBAC configurations to ensure that users only have access to the data they require. Implement monitoring and alerting to detect unusual access patterns or attempts to access data outside of expected RBAC boundaries. While a WAF is unlikely to directly mitigate this, it can help detect and block suspicious requests targeting the Fleet plugin's debug routes.
Update Kibana to version 8.19.14 or later to mitigate the vulnerability. This update fixes the issue by restricting access to index data beyond the scope of Elasticsearch RBAC.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4498 is a vulnerability in Kibana's Fleet plugin that allows authenticated users with Fleet privileges to read Elasticsearch index data beyond their RBAC scope, potentially leading to unauthorized data access.
You are affected if you are running Kibana versions 8.0.0 through 8.19.13 and have users with Fleet sub-feature privileges.
Upgrade Kibana to version 8.19.14 or later. As a temporary workaround, restrict Fleet privileges to the minimum necessary for users.
There are currently no publicly known active exploits, but the vulnerability's severity and potential impact suggest it may be targeted by attackers.
Refer to the official Elastic security advisory for CVE-2026-4498 on the Elastic website: [https://www.elastic.co/security/advisories/CVE-2026-4498](https://www.elastic.co/security/advisories/CVE-2026-4498)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.