PatchSiren cyber security CVE debrief
CVE-2026-49095 Elastic CVE debrief
CVE-2026-49095 is a medium-severity (CVSS 6.5) improper input validation vulnerability (CWE-20) in Kibana's Fleet agent policy management feature, published 2026-05-28. An authenticated attacker with Fleet management privileges can inject malicious values into configuration overrides, causing Elastic Agents to receive API keys with elevated Elasticsearch privileges. This grants unauthorized read/write access to sensitive security indices beyond the intended Fleet management role scope. The vulnerability affects Kibana versions prior to the 8.19.16, 9.3.5, and 9.4.2 security updates. Elastic has assigned internal advisory ESA-2026-38 to this issue.
- Vendor
- Elastic
- Product
- Kibana
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Kibana with Fleet enabled for centralized Elastic Agent management, particularly those with multiple administrators or delegated Fleet management responsibilities. Security teams monitoring for privilege escalation paths in Elastic Stack deployments and compliance officers tracking access controls for sensitive security data stores.
Technical summary
The vulnerability exists in Kibana's Fleet feature, which manages Elastic Agent deployments. The agent policy configuration mechanism accepts override values without adequate validation, allowing an authenticated Fleet administrator to inject malicious configuration parameters. When processed, these overrides cause the Fleet Server to generate API keys for Elastic Agents with elevated privileges beyond the standard Fleet management scope. Specifically, attackers can gain unauthorized read and write access to sensitive Elasticsearch security indices (such as .security* indices) that should be inaccessible to Fleet-managed agents. The attack requires valid credentials with Fleet management privileges but does not require user interaction, making it exploitable via API calls or automated tooling once authenticated access is obtained.
Defensive priority
medium
Recommended defensive actions
- Upgrade Kibana to patched versions 8.19.16, 9.3.5, or 9.4.2 or later per Elastic security advisory ESA-2026-38
- Audit Fleet agent policies for unauthorized configuration overrides, particularly those modifying API key privileges or Elasticsearch index access patterns
- Review Elastic Agent API key permissions in Elasticsearch to identify any with excessive privileges granted through Fleet policy manipulation
- Restrict Fleet management role assignments to only trusted administrative users with need for agent policy configuration access
- Monitor Elasticsearch audit logs for anomalous access patterns to security indices from Elastic Agent service accounts
- Validate agent policy configurations through code review or automated scanning before deployment to production environments
Evidence notes
CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The vulnerability requires high privileges (PR:H) but is network-exploitable with low attack complexity. No known exploitation in the wild as of CVE publication date.
Official resources
-
CVE-2026-49095 CVE record
CVE.org
-
CVE-2026-49095 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Elastic disclosed this vulnerability via their security advisory on 2026-05-28, with patches available for supported release branches.