CVE-2026-4498: Kibana Fleet Plugin Debug Route Privilege Abuse (CWE-250)
CVE-2026-4498 Published on April 8, 2026

Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Execution with Unnecessary Privileges (CWE-250) in Kibanas Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

NVD

Vulnerability Analysis

CVE-2026-4498 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.


Products Associated with CVE-2026-4498

Want to know whenever a new CVE is published for Elastic Kibana? stack.watch will email you.

Elastic Kibana
 

Affected Versions

Elastic Kibana: