HarborGuard / CVE
Back to search
HIGHCVE-2026-49095Published Modified CNA elastic

CVE-2026-49095: Improper Input Validation in Kibana Fleet Leading to Privilege Escalation

Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An improper input validation vulnerability in the Kibana Fleet agent policy management feature allows an authenticated attacker with Fleet management privileges to escalate their own privileges. The vulnerability is reachable over the network and requires no victim interaction, but does require an existing high-privilege Fleet management account. Successful exploitation causes Elastic Agents to be issued API keys with elevated Elasticsearch privileges, granting unauthorized read and write access to sensitive Elasticsearch security indices beyond the intended Fleet role scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Elastic publishes a fix version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Kibana images. Any image running an affected version of Kibana (at or below 9.3.4, 9.4.1, or 8.19.15) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.2 (HIGH) and applies per-environment compliance policy weighting to determine escalation priority. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No fix version has been published by Elastic at this time, so no patched-image rebuild is currently available. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment Elastic ships a fix; for customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Kibana Fleet API over the network; the service must be exposed to the attacker's network path.

  • AuthenticationRequired

    An account holding Fleet management privileges is required; a generic low-privilege account is not sufficient.

  • Victim interactionNot required

    No user interaction is needed; the attacker submits malformed policy configuration directly without relying on any other user's actions.

  • Attack complexityDetail

    Exploit conditions are straightforward and require no race conditions or special environmental state; a reliable, repeatable request sequence is sufficient.

Blast Radius

  • Reads contents of sensitive Elasticsearch security indices, including index data that the Fleet management role is not authorized to access.
  • Writes to sensitive Elasticsearch security indices, enabling modification or corruption of security-relevant data such as role mappings or API key records.
  • Elastic Agents fleet-wide are issued API keys carrying elevated Elasticsearch privileges, extending the attacker's reach beyond the originating account.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no upstream fix published. While a patched image cannot yet be offered, HarborGuard checks the Elastic advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will include a regression run and an automated PR against affected workloads. In the interim, compensating controls worth evaluating include: restricting network-policy access to the Kibana Fleet API to only trusted internal CIDR ranges; auditing and tightening which accounts hold Fleet management privileges to reduce the pool of potential attackers; and enabling Elasticsearch audit logging on security indices to surface unauthorized read or write activity. Customers using HarborGuard's compliance policy weighting can flag this CVE as requiring manual sign-off on any deployment of an affected Kibana image until an upstream patch is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Elastic / Kibana
    ≤ 9.3.4 · ≤ 9.4.1 · ≤ 8.19.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
References