CVE-2026-33460

Source
https://cve.org/CVERecord?id=CVE-2026-33460
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33460.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33460
Aliases
Downstream
Published
2026-04-08T16:43:30.788Z
Modified
2026-07-15T19:00:10.971134Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Details

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.

Database specific
{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33460.json",
    "cna_assigner": "elastic",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "9.3.0"
                },
                {
                    "last_affected": "9.3.2"
                },
                {
                    "introduced": "9.0.0"
                },
                {
                    "last_affected": "9.2.7"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.19.13"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Database specific
{
    "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.19.14"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.2.8"
        },
        {
            "introduced": "9.3.0"
        },
        {
            "fixed": "9.3.3"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v9.*
v9.3.0
v9.3.1
v9.3.2

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "313541444604022866958265865213287872231",
            "length": 2564.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-06197982",
        "target": {
            "function": "testInfer_HandlesRerankRequest_Cohere_Format",
            "file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "156160656205353710312417330007629646425",
                "27540708710486173236890240881820799260",
                "84518175777564430454801298513242619573",
                "136402608114113847601090415034067017773",
                "16685559839112528659657881848863245510",
                "277835739336649128433308394271788756561",
                "143403250630798963826979644229512419723",
                "242980579120754426761278468243787446353",
                "321462624435310913302967518806687950974",
                "82440798655824113832413828047961730518",
                "300548741379807994336286196384108730640",
                "256779652660472638210534763824804187552",
                "46222788890441027068999511612152366503",
                "48937933508108699071176309781932746930",
                "321970245818726015799678340334047054700",
                "172739829844646851416045766878270726607",
                "153181888051955665546337367444036365656",
                "124203616535444030273644361170629356875",
                "100288444706359222937913017399433232159",
                "309121548608204327250789539063946789326",
                "319438141153746998409517777182091138336",
                "51255505636426694297194044976326173232",
                "250231542314301263066514395393284450737",
                "214203989972935641826654681659282859419",
                "58571146959237865627308032052375046049",
                "47803809438137473017466825957232440899",
                "336707179944840764682142298537860500446",
                "45359245951768277319030149077281059574",
                "58571146959237865627308032052375046049",
                "162652334313199734502565521188201841382",
                "175189539859557767461718357888782510477",
                "165061306684265803088016931257610841584",
                "58571146959237865627308032052375046049",
                "69162281990582052467731627710640533493",
                "128362147427298691431615098578884100365",
                "270868705285420681643886908449567876922",
                "287349046153840999809432690173922512964",
                "294854095830598145422475187835678140215",
                "68466100780771457268999999727315104566",
                "95631642600171755226656183773782482039",
                "229654468484481408976566219960030671636",
                "64548248078566969071175771176786188803",
                "191647534389363118453993355167357423246",
                "146902999317757780523486174473002567414"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-33460-1b19fcf4",
        "target": {
            "file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "172591065224296382284126442597497581211",
            "length": 149.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-205e229a",
        "target": {
            "function": "getTestFeatures",
            "file": "modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "99452999398060652082735219626109422024",
            "length": 479.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-26020941",
        "target": {
            "function": "collect",
            "file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "147197169887312857886735333323219312459",
                "491483613690208772789136343704830160",
                "213772482049817814828160520886530819942",
                "15017563729939480673956044845193398348",
                "66567298044037355933417415521528370371",
                "255171595814232248929188556733288140892",
                "285135803330525769565872555920398499332",
                "321415764837193263100786750992843602953",
                "108587633537507210242609878158511307392",
                "92590099996029974464418548733112675829",
                "327002786409111698512253672661836577364",
                "312703616138920692944159426890918111208",
                "337952430790058126244858022050265389024",
                "178709448119223616997213346634751186542",
                "174789135067939310506334339164707391402",
                "210970647024931410295177236523325314805",
                "31930079211214026769678751532751696925",
                "212655538528513921940163469477660321005",
                "15929568647918090673149240164406099863",
                "124667971465892408175573540568304874077",
                "238610354327728892969879097211860508940",
                "218508627040309587567307064187974490689",
                "5757643076504182545399310114120402035"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-33460-31c33195",
        "target": {
            "file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "128453270436807859913235475103096199710",
                "177459271109583497706956835150788276861",
                "177163096311313378479293624765758913385",
                "166172364483954264757553938119525195723",
                "3769462355156836715478913078745548042",
                "328165599707046115736013975324429013020"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-33460-4580553e",
        "target": {
            "file": "modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "92422966606385584546788657276874310910",
            "length": 496.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-47d88b6f",
        "target": {
            "function": "validate",
            "file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "197552160985889901664419673985356516486",
            "length": 1584.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-51412cf0",
        "target": {
            "function": "indexMapping",
            "file": "server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "235127462228297284959627011147384431967",
                "63416698433777538727099695573337933982",
                "292855198434400605051192605274545575878",
                "67872330018420459796311863072116526347",
                "175773279971023045532788344412093721823",
                "184184491137811567630774351126349740331",
                "208384035772505989315956516357077240404",
                "141253461345257827617096098816021767159"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-33460-5b18504a",
        "target": {
            "file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "315262054749030809412106802625080574319",
            "length": 450.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-5ba38e01",
        "target": {
            "function": "createCustomModel",
            "file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "37021890429624638425557029306735886735",
            "length": 1912.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-d1e131ba",
        "target": {
            "function": "testInfer_HandlesSparseEmbeddingRequest_Alibaba_Format",
            "file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "228013337158870705279216444561884658301",
            "length": 226.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-e3ef07c4",
        "target": {
            "function": "extractPersistentChunkingSettings",
            "file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "41092078304446841000783939087813094753",
            "length": 1721.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-e7a4c834",
        "target": {
            "function": "testInfer_HandlesCompletionRequest_OpenAI_Format",
            "file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "326665976071484658195152997738423757368",
            "length": 691.0
        },
        "deprecated": false,
        "id": "CVE-2026-33460-ec6b2be0",
        "target": {
            "function": "parseRequestConfig",
            "file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
        }
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "170568493866625987361505518312236776013",
                "293170206883044799006840083449498043238",
                "127965022065811097656658400917104721951",
                "268080160680196637226945849294657874221"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-33460-f0c66f7c",
        "target": {
            "file": "server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java"
        }
    }
]
vanir_signatures_modified
"2026-07-15T19:00:10Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33460.json"

Git / github.com/elastic/kibana

Affected ranges

Type
GIT
Repo
https://github.com/elastic/kibana
Events
Database specific
{
    "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.19.14"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.2.8"
        },
        {
            "introduced": "9.3.0"
        },
        {
            "fixed": "9.3.3"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v9.*
v9.3.0
v9.3.1
v9.3.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33460.json"