CVE-2026-33461

Name of the Vulnerable Software and Affected Versions Kibana (affected versions not specified)

Description An issue exists in Kibana where incorrect authorization can lead to information disclosure through privilege abuse. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint constructs its response by fetching full configuration objects and returning them directly, bypassing authorization checks enforced by dedicated settings APIs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.