{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kibana/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-4498"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","privilege-escalation","kibana"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4498 is a privilege escalation vulnerability affecting the Fleet plugin in Kibana. Specifically, the debug route handlers within the Fleet plugin do not properly restrict access, allowing an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management) to read index data beyond their intended Elasticsearch RBAC scope. This is a weakness related to Execution with Unnecessary Privileges (CWE-250). The vulnerability was disclosed in Elastic\u0026rsquo;s security update ESA-2026-21, associated with Kibana versions 8.9.3, 9.2.8, and 8.19.1. This vulnerability can lead to unauthorized data access within the Elasticsearch cluster.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to Kibana as an authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains Fleet sub-feature privileges (agents, policies, settings).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the vulnerable debug route handler.\u003c/li\u003e\n\u003cli\u003eThe debug route handler improperly processes the request without proper RBAC enforcement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed debug route to read index data.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses Elasticsearch indices beyond the intended scope of their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information contained within the Elasticsearch indices.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4498 allows an attacker to bypass Elasticsearch Role-Based Access Control (RBAC) and read sensitive index data that they should not have access to. The number of potentially affected Kibana instances is unknown, but all instances running vulnerable versions with the Fleet plugin enabled and accessible to users with Fleet sub-feature privileges are at risk. The specific impact depends on the nature of the data stored in the Elasticsearch indices exposed by the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Kibana to a patched version (8.9.3, 9.2.8, 8.19.1 or later) as recommended in Elastic\u0026rsquo;s security advisory ESA-2026-21 to remediate CVE-2026-4498.\u003c/li\u003e\n\u003cli\u003eReview and restrict Fleet sub-feature privileges to only those users who require them to limit the potential attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKibana Fleet Plugin Debug Route Access\u003c/code\u003e to monitor for suspicious access patterns to the debug routes within the Fleet plugin.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T17:21:24Z","date_published":"2026-04-08T17:21:24Z","id":"/briefs/2026-04-kibana-fleet-privesc/","summary":"CVE-2026-4498 allows an authenticated Kibana user with Fleet sub-feature privileges to read index data beyond their direct Elasticsearch RBAC scope due to improper privilege handling in debug route handlers.","title":"Kibana Fleet Plugin Privilege Escalation via CVE-2026-4498","url":"https://feed.craftedsignal.io/briefs/2026-04-kibana-fleet-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Kibana","version":"https://jsonfeed.org/version/1.1"}