Detections
Analytics

Kibana 8.x < 8.19.14 / 9.0.x < 9.2.8 / 9.3.x < 9.3.3 Multiple Vulnerabilities (ESA-2026-21 / ESA-2026-24 / ESA-2026-25 / ESA-2026-26)

high Nessus Plugin ID 305938

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Kibana installed on the remote host is prior to 8.19.14, 9.2.8, or 9.3.3. It is, therefore, affected by multiple vulnerabilities as referenced in the ESA-2026-21, ESA-2026-24, ESA-2026-25, and ESA-2026-26 advisories.

 - An incorrect authorization vulnerability in Kibana Fleet allows a user with limited Fleet privileges to exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. (CVE-2026-33461)

 - A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. This endpoint improperly uses an unscoped internal client, bypassing space-scoped access controls and resulting in cross-space information disclosure. (CVE-2026-33460)

 - In Kibana's Fleet plugin debug route handlers, an authenticated user with Fleet sub-feature privileges can read index data beyond their direct Elasticsearch RBAC scope, allowing unauthorized data access across the deployment.
 (CVE-2026-4498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update to Kibana version 8.19.14, 9.2.8, 9.3.3 or later.

See Also

http://www.nessus.org/u?b36e1d93

http://www.nessus.org/u?adcc18bc

http://www.nessus.org/u?b282e3d2

http://www.nessus.org/u?1aefd64f

Plugin Details

Severity: High

ID: 305938

File Name: kibana_esa_2026_24.nasl

Version: 1.1

Type: Remote

Family: CGI abuses

Published: 4/10/2026

Updated: 4/10/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-33461

CVSS v3

Risk Factor: High

Base Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/a:elasticsearch:kibana

Required KB Items: installed_sw/Kibana

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 4/8/2026

Reference Information

CVE: CVE-2026-33459, CVE-2026-33460, CVE-2026-33461, CVE-2026-4498

IAVB: 2026-B-0090