Exploitation for Priv-Esc × Elastic Kibana Fleet

A publicly-reported instance of Exploitation for Priv-Esc bypassing Elastic Kibana Fleet, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic Kibana Fleet

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

unknown

Disclosed

2026-05-28

Config / version noted

Not stated

Provenance

nvd.nist.gov
disclosed 2026-05-28 · original source · via nvd

Reported as

A vulnerability in Kibana Fleet agent policy management allows authenticated users with Fleet management privileges to inject unvalidated values into configuration overrides.

Mechanism

Improper input validation in the configuration override mechanism of Kibana Fleet agent policy management. An attacker with Fleet management privileges injects crafted values into agent policy configuration, leading to issuance of API keys with excessive Elasticsearch privileges, bypassing intended role restrictions.

Detection & mitigation

Monitor Kibana audit logs for modifications to Fleet agent policies, especially changes to configuration overrides that include unexpected or suspicious values. Mitigate by applying the vendor patch for CVE-2026-49095 and enforcing strict input validation on agent policy configurations.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.