High severity7.7NVD Advisory· Published Apr 8, 2026· Updated Apr 13, 2026
CVE-2026-4498
CVE-2026-4498
Description
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- osv-coords2 versions
>= 8.0.0, < 8.19.14+ 1 more
- (no CPE)range: >= 8.0.0, < 8.19.14
- (no CPE)range: >= 8.0.0, < 8.19.14
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.