BIT-elk-2026-4498

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/elk/BIT-elk-2026-4498.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-elk-2026-4498
Aliases
Published
2026-04-13T05:38:40.214Z
Modified
2026-04-13T08:27:28.162509189Z
Summary
Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Details

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).

Database specific 
{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:node.js:*:*"
    ]
}
References

Affected packages

Bitnami / elk

Package

Name
elk
Purl
pkg:bitnami/elk

Severity

  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0
Fixed
8.19.14
Introduced
9.0.0
Fixed
9.2.8
Introduced
9.3.0
Fixed
9.3.3

Database specific

source 
"https://github.com/bitnami/vulndb/tree/main/data/elk/BIT-elk-2026-4498.json"