#VU125549 Incorrect authorization in Kibana - CVE-2026-33460
Published: April 9, 2026
Vulnerability identifier: #VU125549
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33460
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Kibana
Kibana
Software vendor:
Elastic Stack
Elastic Stack
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the internal Fleet enrollment endpoint when handling requests for Fleet Server policy details across spaces. A remote user can send a crafted request to disclose sensitive information.
Exploitation requires Fleet to be enabled, Kibana Spaces to be in use, and the user to have Fleet agent management privileges in at least one space while Fleet Server policies exist in other spaces.
Remediation
Install security update from vendor's website.