CVE-2026-49095

Name of the Vulnerable Software and Affected Versions Kibana (affected versions not specified)

Description Improper input validation in the Kibana Fleet agent policy management feature allows an authenticated user with Fleet management privileges to escalate privileges. By injecting values into a configuration override mechanism that lacks adequate validation, an attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges. This may grant unauthorized read and write access to sensitive Elasticsearch security indices, exceeding the intended permissions of the Fleet management role.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.