BIT-kibana-2026-33461

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/kibana/BIT-kibana-2026-33461.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-kibana-2026-33461

Aliases

BIT-elk-2026-33461
CVE-2026-33461

Published

2026-04-13T05:42:03.441Z

Modified

2026-04-23T09:15:21.490582Z

Summary

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Details

Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs.

Database specific

{
    "cpes": [
        "cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / kibana

Package

Name: kibana
Purl: pkg:bitnami/kibana

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0

Fixed

8.19.14

Introduced

9.0.0

Fixed

9.2.8

Introduced

9.3.0

Fixed

9.3.3

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/kibana/BIT-kibana-2026-33461.json"