CVE-2026-33460
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Description
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access.
How to fix CVE-2026-33460
To remediate CVE-2026-33460, upgrade the affected package to a fixed version below.
- —upgrade to 8.19.14 or later
- —upgrade to 8.19.14 or later
Is CVE-2026-33460 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
- >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |