CVE-2026-49095— Improper Input Validation in Kibana Fleet Leading to Privilege Escalation

Improper Input Validation in Kibana Fleet Leading to Privilege Escalation

Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

输入验证不恰当

Elastic Kibana 安全漏洞

Elastic Kibana是Elastic公司的一个可用数据可视化仪表板软件。 Elastic Kibana存在安全漏洞，该漏洞源于输入验证不当，可能导致权限提升。具有Fleet管理权限的经过身份验证的用户可以通过向配置覆盖机制注入未充分验证的值来操纵代理策略配置，攻击者可以导致Elastic Agents被颁发具有提升的Elasticsearch权限的API密钥，可能授予对敏感Elasticsearch安全索引的未经授权的读写访问权限。

N/A

N/A