Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
{
"cwe_ids": [
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33460.json",
"cna_assigner": "elastic",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "9.3.0"
},
{
"last_affected": "9.3.2"
},
{
"introduced": "9.0.0"
},
{
"last_affected": "9.2.7"
},
{
"introduced": "8.0.0"
},
{
"last_affected": "8.19.13"
}
],
"source": "AFFECTED_FIELD"
}
]
}{
"cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.19.14"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.8"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.3"
}
],
"source": "CPE_RANGE"
}[
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "313541444604022866958265865213287872231",
"length": 2564.0
},
"deprecated": false,
"id": "CVE-2026-33460-06197982",
"target": {
"function": "testInfer_HandlesRerankRequest_Cohere_Format",
"file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"156160656205353710312417330007629646425",
"27540708710486173236890240881820799260",
"84518175777564430454801298513242619573",
"136402608114113847601090415034067017773",
"16685559839112528659657881848863245510",
"277835739336649128433308394271788756561",
"143403250630798963826979644229512419723",
"242980579120754426761278468243787446353",
"321462624435310913302967518806687950974",
"82440798655824113832413828047961730518",
"300548741379807994336286196384108730640",
"256779652660472638210534763824804187552",
"46222788890441027068999511612152366503",
"48937933508108699071176309781932746930",
"321970245818726015799678340334047054700",
"172739829844646851416045766878270726607",
"153181888051955665546337367444036365656",
"124203616535444030273644361170629356875",
"100288444706359222937913017399433232159",
"309121548608204327250789539063946789326",
"319438141153746998409517777182091138336",
"51255505636426694297194044976326173232",
"250231542314301263066514395393284450737",
"214203989972935641826654681659282859419",
"58571146959237865627308032052375046049",
"47803809438137473017466825957232440899",
"336707179944840764682142298537860500446",
"45359245951768277319030149077281059574",
"58571146959237865627308032052375046049",
"162652334313199734502565521188201841382",
"175189539859557767461718357888782510477",
"165061306684265803088016931257610841584",
"58571146959237865627308032052375046049",
"69162281990582052467731627710640533493",
"128362147427298691431615098578884100365",
"270868705285420681643886908449567876922",
"287349046153840999809432690173922512964",
"294854095830598145422475187835678140215",
"68466100780771457268999999727315104566",
"95631642600171755226656183773782482039",
"229654468484481408976566219960030671636",
"64548248078566969071175771176786188803",
"191647534389363118453993355167357423246",
"146902999317757780523486174473002567414"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-33460-1b19fcf4",
"target": {
"file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "172591065224296382284126442597497581211",
"length": 149.0
},
"deprecated": false,
"id": "CVE-2026-33460-205e229a",
"target": {
"function": "getTestFeatures",
"file": "modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "99452999398060652082735219626109422024",
"length": 479.0
},
"deprecated": false,
"id": "CVE-2026-33460-26020941",
"target": {
"function": "collect",
"file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"147197169887312857886735333323219312459",
"491483613690208772789136343704830160",
"213772482049817814828160520886530819942",
"15017563729939480673956044845193398348",
"66567298044037355933417415521528370371",
"255171595814232248929188556733288140892",
"285135803330525769565872555920398499332",
"321415764837193263100786750992843602953",
"108587633537507210242609878158511307392",
"92590099996029974464418548733112675829",
"327002786409111698512253672661836577364",
"312703616138920692944159426890918111208",
"337952430790058126244858022050265389024",
"178709448119223616997213346634751186542",
"174789135067939310506334339164707391402",
"210970647024931410295177236523325314805",
"31930079211214026769678751532751696925",
"212655538528513921940163469477660321005",
"15929568647918090673149240164406099863",
"124667971465892408175573540568304874077",
"238610354327728892969879097211860508940",
"218508627040309587567307064187974490689",
"5757643076504182545399310114120402035"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-33460-31c33195",
"target": {
"file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"128453270436807859913235475103096199710",
"177459271109583497706956835150788276861",
"177163096311313378479293624765758913385",
"166172364483954264757553938119525195723",
"3769462355156836715478913078745548042",
"328165599707046115736013975324429013020"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-33460-4580553e",
"target": {
"file": "modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "92422966606385584546788657276874310910",
"length": 496.0
},
"deprecated": false,
"id": "CVE-2026-33460-47d88b6f",
"target": {
"function": "validate",
"file": "x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "197552160985889901664419673985356516486",
"length": 1584.0
},
"deprecated": false,
"id": "CVE-2026-33460-51412cf0",
"target": {
"function": "indexMapping",
"file": "server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"235127462228297284959627011147384431967",
"63416698433777538727099695573337933982",
"292855198434400605051192605274545575878",
"67872330018420459796311863072116526347",
"175773279971023045532788344412093721823",
"184184491137811567630774351126349740331",
"208384035772505989315956516357077240404",
"141253461345257827617096098816021767159"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-33460-5b18504a",
"target": {
"file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "315262054749030809412106802625080574319",
"length": 450.0
},
"deprecated": false,
"id": "CVE-2026-33460-5ba38e01",
"target": {
"function": "createCustomModel",
"file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "37021890429624638425557029306735886735",
"length": 1912.0
},
"deprecated": false,
"id": "CVE-2026-33460-d1e131ba",
"target": {
"function": "testInfer_HandlesSparseEmbeddingRequest_Alibaba_Format",
"file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "228013337158870705279216444561884658301",
"length": 226.0
},
"deprecated": false,
"id": "CVE-2026-33460-e3ef07c4",
"target": {
"function": "extractPersistentChunkingSettings",
"file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "41092078304446841000783939087813094753",
"length": 1721.0
},
"deprecated": false,
"id": "CVE-2026-33460-e7a4c834",
"target": {
"function": "testInfer_HandlesCompletionRequest_OpenAI_Format",
"file": "x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "326665976071484658195152997738423757368",
"length": 691.0
},
"deprecated": false,
"id": "CVE-2026-33460-ec6b2be0",
"target": {
"function": "parseRequestConfig",
"file": "x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"
}
},
{
"source": "https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"170568493866625987361505518312236776013",
"293170206883044799006840083449498043238",
"127965022065811097656658400917104721951",
"268080160680196637226945849294657874221"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-33460-f0c66f7c",
"target": {
"file": "server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java"
}
}
]
"2026-07-15T19:00:10Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33460.json"
{
"cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.19.14"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.8"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.3"
}
],
"source": "CPE_RANGE"
}