{"id":"CVE-2026-4498","summary":"Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope","details":"Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).","aliases":["BIT-elk-2026-4498","BIT-kibana-2026-4498"],"modified":"2026-07-15T21:33:36.894571Z","published":"2026-04-08T16:38:59.327Z","database_specific":{"cwe_ids":["CWE-250"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4498.json","unresolved_ranges":[{"extracted_events":[{"introduced":"8.0.0"},{"last_affected":"8.19.13"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"elastic"},"references":[{"type":"WEB","url":"https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4498.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4498"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"f9adf4c29021dbda28cae7d9c11924471798723d"},{"introduced":"112859b85d50de2a7e63f73c8fc70b99eea24291"},{"fixed":"cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1"},{"introduced":"17b451d8979a29e31935fe1eb901310350b30e62"},{"fixed":"640408e2dfd2af9fbfe5079e1575f93d8909a5f5"}],"database_specific":{"cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.19.14"},{"introduced":"9.0.0"},{"fixed":"9.2.8"},{"introduced":"9.3.0"},{"fixed":"9.3.3"}],"source":"CPE_RANGE"}}],"versions":["v9.3.2","v9.3.1","v9.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4498.json","vanir_signatures_modified":"2026-07-15T21:33:36Z","vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"313541444604022866958265865213287872231","length":2564},"id":"CVE-2026-4498-06197982","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java","function":"testInfer_HandlesRerankRequest_Cohere_Format"}},{"target":{"file":"x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["156160656205353710312417330007629646425","27540708710486173236890240881820799260","84518175777564430454801298513242619573","136402608114113847601090415034067017773","16685559839112528659657881848863245510","277835739336649128433308394271788756561","143403250630798963826979644229512419723","242980579120754426761278468243787446353","321462624435310913302967518806687950974","82440798655824113832413828047961730518","300548741379807994336286196384108730640","256779652660472638210534763824804187552","46222788890441027068999511612152366503","48937933508108699071176309781932746930","321970245818726015799678340334047054700","172739829844646851416045766878270726607","153181888051955665546337367444036365656","124203616535444030273644361170629356875","100288444706359222937913017399433232159","309121548608204327250789539063946789326","319438141153746998409517777182091138336","51255505636426694297194044976326173232","250231542314301263066514395393284450737","214203989972935641826654681659282859419","58571146959237865627308032052375046049","47803809438137473017466825957232440899","336707179944840764682142298537860500446","45359245951768277319030149077281059574","58571146959237865627308032052375046049","162652334313199734502565521188201841382","175189539859557767461718357888782510477","165061306684265803088016931257610841584","58571146959237865627308032052375046049","69162281990582052467731627710640533493","128362147427298691431615098578884100365","270868705285420681643886908449567876922","287349046153840999809432690173922512964","294854095830598145422475187835678140215","68466100780771457268999999727315104566","95631642600171755226656183773782482039","229654468484481408976566219960030671636","64548248078566969071175771176786188803","191647534389363118453993355167357423246","146902999317757780523486174473002567414"]},"id":"CVE-2026-4498-1b19fcf4","signature_type":"Line","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d","target":{"file":"modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java","function":"getTestFeatures"},"deprecated":false,"digest":{"function_hash":"172591065224296382284126442597497581211","length":149},"id":"CVE-2026-4498-205e229a"},{"deprecated":false,"digest":{"function_hash":"99452999398060652082735219626109422024","length":479},"id":"CVE-2026-4498-26020941","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d","target":{"function":"collect","file":"x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"}},{"id":"CVE-2026-4498-31c33195","signature_type":"Line","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d","target":{"file":"x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java"},"deprecated":false,"digest":{"line_hashes":["147197169887312857886735333323219312459","491483613690208772789136343704830160","213772482049817814828160520886530819942","15017563729939480673956044845193398348","66567298044037355933417415521528370371","255171595814232248929188556733288140892","285135803330525769565872555920398499332","321415764837193263100786750992843602953","108587633537507210242609878158511307392","92590099996029974464418548733112675829","327002786409111698512253672661836577364","312703616138920692944159426890918111208","337952430790058126244858022050265389024","178709448119223616997213346634751186542","174789135067939310506334339164707391402","210970647024931410295177236523325314805","31930079211214026769678751532751696925","212655538528513921940163469477660321005","15929568647918090673149240164406099863","124667971465892408175573540568304874077","238610354327728892969879097211860508940","218508627040309587567307064187974490689","5757643076504182545399310114120402035"],"threshold":0.9}},{"deprecated":false,"digest":{"line_hashes":["128453270436807859913235475103096199710","177459271109583497706956835150788276861","177163096311313378479293624765758913385","166172364483954264757553938119525195723","3769462355156836715478913078745548042","328165599707046115736013975324429013020"],"threshold":0.9},"id":"CVE-2026-4498-4580553e","signature_type":"Line","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d","target":{"file":"modules/data-streams/src/main/java/org/elasticsearch/datastreams/DataStreamFeatures.java"}},{"target":{"file":"x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/DimensionFieldProducer.java","function":"validate"},"deprecated":false,"digest":{"function_hash":"92422966606385584546788657276874310910","length":496},"id":"CVE-2026-4498-47d88b6f","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/f9adf4c29021dbda28cae7d9c11924471798723d"},{"deprecated":false,"digest":{"function_hash":"197552160985889901664419673985356516486","length":1584},"id":"CVE-2026-4498-51412cf0","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5","target":{"file":"server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java","function":"indexMapping"}},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java"},"deprecated":false,"digest":{"line_hashes":["235127462228297284959627011147384431967","63416698433777538727099695573337933982","292855198434400605051192605274545575878","67872330018420459796311863072116526347","175773279971023045532788344412093721823","184184491137811567630774351126349740331","208384035772505989315956516357077240404","141253461345257827617096098816021767159"],"threshold":0.9},"id":"CVE-2026-4498-5b18504a"},{"id":"CVE-2026-4498-5ba38e01","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java","function":"createCustomModel"},"deprecated":false,"digest":{"function_hash":"315262054749030809412106802625080574319","length":450}},{"source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java","function":"testInfer_HandlesSparseEmbeddingRequest_Alibaba_Format"},"deprecated":false,"digest":{"function_hash":"37021890429624638425557029306735886735","length":1912},"id":"CVE-2026-4498-d1e131ba","signature_type":"Function","signature_version":"v1"},{"signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java","function":"extractPersistentChunkingSettings"},"deprecated":false,"digest":{"function_hash":"228013337158870705279216444561884658301","length":226},"id":"CVE-2026-4498-e3ef07c4","signature_type":"Function"},{"id":"CVE-2026-4498-e7a4c834","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"function":"testInfer_HandlesCompletionRequest_OpenAI_Format","file":"x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/custom/CustomServiceTests.java"},"deprecated":false,"digest":{"function_hash":"41092078304446841000783939087813094753","length":1721}},{"deprecated":false,"digest":{"function_hash":"326665976071484658195152997738423757368","length":691},"id":"CVE-2026-4498-ec6b2be0","signature_type":"Function","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/cdb2d7a7a46dfe4ef7c3f859b94fb86ba8e652e1","target":{"file":"x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/custom/CustomService.java","function":"parseRequestConfig"}},{"target":{"file":"server/src/test/java/org/elasticsearch/index/mapper/vectors/DenseVectorFieldMapperTests.java"},"deprecated":false,"digest":{"line_hashes":["170568493866625987361505518312236776013","293170206883044799006840083449498043238","127965022065811097656658400917104721951","268080160680196637226945849294657874221"],"threshold":0.9},"id":"CVE-2026-4498-f0c66f7c","signature_type":"Line","signature_version":"v1","source":"https://github.com/elastic/elasticsearch/commit/640408e2dfd2af9fbfe5079e1575f93d8909a5f5"}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"f0f7aa44834eefe7c9cee43c8527588e0e952d54"},{"introduced":"504d6bfa94cca17fabb76e06152c30c4f0c3efdd"},{"fixed":"2484ea8af037aecc848b80cdf39f66b62eb7b5a0"},{"introduced":"30ab63cc0017fe2da7a84fb9b285dd762468802d"},{"fixed":"bf7be757e102e9c064ff7161919d283963c7d93d"}],"database_specific":{"cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.19.14"},{"introduced":"9.0.0"},{"fixed":"9.2.8"},{"introduced":"9.3.0"},{"fixed":"9.3.3"}],"source":"CPE_RANGE"}}],"versions":["v9.3.2","v9.3.1","v9.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4498.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}]}