CVE-2026-33461
Published: 08 April 2026
Summary
CVE-2026-33461 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Elastic Kibana. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing limited Fleet privilege users from retrieving sensitive configuration data via the internal API endpoint that bypasses checks.
Employs least privilege principle, restricting users to only necessary accesses and mitigating privilege abuse that enables disclosure of higher-privilege configuration data like private keys.
Remediates the specific incorrect authorization flaw by identifying, testing, and applying vendor patches such as Kibana 8.19.4 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization on Kibana internal API (AV:N) directly enables exploitation of a public-facing application to retrieve and steal application access tokens plus private keys from configuration objects.
NVD Description
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only…
more
be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.
Deeper analysisAI
CVE-2026-33461 is an incorrect authorization vulnerability (CWE-863) affecting Kibana, rated at CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). It enables information disclosure via privilege abuse (CAPEC-122), where an internal API endpoint improperly handles responses by fetching and returning full configuration objects without enforcing the authorization checks present in dedicated settings APIs.
A user with limited Fleet privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the internal API endpoint, the attacker retrieves sensitive configuration data, including private keys and authentication tokens, which are intended to be accessible only to users with higher-level settings privileges, leading to unauthorized exposure of confidential information in a scoped context.
Elastic's security advisory ESA-2026-24 addresses this issue with updates for affected Kibana versions, including 8.19.4, 9.2.8, and 9.3.3, as detailed at https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812. Security practitioners should apply these patches promptly to mitigate the risk of privilege abuse and data exposure.
Details
- CWE(s)