Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN374 _____________________________________________________________________ DATE : 09/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kibana versions prior to 8.19.14, 9.2.8, 9.3.3. ===================================================================== https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811 https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814 _____________________________________________________________________ Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-21) Announcements Security Announcements ismisepaul (Paul) April 8, 2026, 4:01pm 1 Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Default State: Fleet is enabled by default in Kibana (xpack.fleet.agents.enabled defaults to true). The debug routes are registered as internal routes when Fleet is active. Configuration Requirement: No non-default configuration is required. The vulnerable routes are available in any standard Kibana deployment with Fleet enabled. Solutions and Mitigations: The issue is resolved in version 8.19.14, 9.2.8, 9.3.3 . For Users that Cannot Upgrade: Restrict Fleet privileges: Review all custom roles that grant Fleet sub-feature privileges (agents_all, agent_policies_all, settings_all) and limit these to only trusted administrative users until a patch is applied. However, users should upgrade to the latest non-vulnerable version. Indicators of Compromise (IOC) If Kibana audit logging is enabled (xpack.security.audit.enabled: true), the following detection strategies can be used: Search for requests to Fleet debug routes: Look for HTTP request audit events targeting paths matching /internal/fleet/debug/index or /internal/fleet/debug/saved_objects in Kibana audit logs. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.7 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-4498 Problem Type: CWE-250 - Execution with Unnecessary Privileges Impact: CAPEC-122 - Privilege Abuse _____________________________________________________________________ Kibana 9.3.3 Security Update (ESA-2026-28) Announcements Security Announcements ismisepaul (Paul) April 8, 2026, 4:29pm 1 Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. Affected Versions: 9.x: All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments running Kibana 9.3.x with the Workflows Execution Engine enabled. Exploitation requires an authenticated user with workflow creation and execution privileges. Solutions and Mitigations: The issue is resolved in version 9.3.3. Indicators of Compromise (IOC) Monitor workflow execution logs for HTTP step executions that result in redirect responses, particularly those targeting internal hosts not on the allowlist. Review Kibana audit logs for workflow execution activity, focusing on HTTP step executions with redirect-following behavior. Monitor network logs for outbound connections from Kibana to unexpected internal hosts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.8 ) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-33458 Problem Type: CWE-918 - Server-Side Request Forgery (SSRF) _____________________________________________________________________ Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-24) Announcements Security Announcements ismisepaul (Paul) April 8, 2026, 4:18pm 1 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with Fleet enabled where users have been granted the Fleet Agents privilege without the Fleet Settings. Fleet is available by default in Kibana, but exploitation requires that a user has been explicitly assigned Fleet agent management privileges. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: Review Fleet role assignments and ensure users with Fleet agent privileges are trusted with access to Fleet configuration data, or remove Fleet agent privileges from untrusted users until the upgrade can be applied. Rotate any proxy credentials (private keys, authentication tokens) that may have been exposed through the affected endpoint. Indicators of Compromise (IOC) Review Kibana audit logs for access to Fleet enrollment settings endpoints by users who do not have Fleet settings privileges. Unexpected access patterns from users with only Fleet agent privileges may indicate exploitation. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High ( 7.7 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-33461 Problem Type: CWE-863 - Incorrect Authorization Impact: CAPEC-122 - Privilege Abuse _____________________________________________________________________ Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25) Announcements Security Announcements ismisepaul (Paul) April 8, 2026, 4:22pm 1 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. Affected Versions: 8.x: All versions from 8.0.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments using Kibana Spaces with Fleet enabled are affected. Exploitation requires that a user has been assigned Fleet agent management privileges in at least one space, while Fleet Server policies exist in other spaces. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. For Users that Cannot Upgrade: Review Fleet role assignments across spaces and ensure users with Fleet agent privileges are trusted with visibility into Fleet topology across all spaces, or restrict Fleet privileges to trusted users only. Indicators of Compromise (IOC) Review Kibana audit logs for access to Fleet enrollment settings endpoints. Unusual access patterns from users with Fleet agent privileges limited to specific spaces may indicate cross-space enumeration attempts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 4.3 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE ID: CVE-2026-33460 Problem Type: CWE-863 - Incorrect Authorization Impact: CAPEC-122 - Privilege Abuse _____________________________________________________________________ Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-26) Announcements Security Announcements ismisepaul (Paul) April 8, 2026, 4:25pm 1 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.13 9.x: All versions from 9.0.0 up to and including 9.2.7 All versions from 9.3.0 up to and including 9.3.2 Affected Configurations: Deployments with the automatic import plugin enabled are affected. The plugin is enabled by default in Kibana 8.15 and later. Exploitation requires an authenticated user with Fleet and Integrations privileges. Solutions and Mitigations: The issue is resolved in versions 8.19.14, 9.2.8, and 9.3.3. Indicators of Compromise (IOC) Monitor for repeated or concurrent requests to automatic import endpoints from the same user or session, particularly requests with unusually large payloads. Review Kibana audit logs and HTTP access logs for patterns of high-volume requests to automatic import API endpoints. Monitor for HTTP 502 errors that may indicate resource exhaustion caused by exploitation attempts. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-33459 Problem Type: CWE-400 - Uncontrolled Resource Consumption Impact: CAPEC-130 - Excessive Allocation ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================