{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26939", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-02-16T16:42:05.774Z", "datePublished": "2026-03-19T17:11:16.507Z", "dateUpdated": "2026-03-19T17:50:30.754Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.2.5", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.3.0", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThanOrEqual": "8.19.11", "status": "affected", "version": "8.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.</p>"}], "value": "Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-03-19T17:11:16.507Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530"}], "source": {"discovery": "Elastic"}, "title": "Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T17:50:20.698249Z", "id": "CVE-2026-26939", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:50:30.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T17:50:20.698249Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:50:23.146Z"}}], "cna": {"title": "Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.5"}, {"status": "affected", "version": "9.3.0", "versionType": "semver", "lessThanOrEqual": "9.3.0"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.19.11"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.", "supportingMedia": [{"type": "text/html", "value": "<p>Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-03-19T17:11:16.507Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26939", "state": "PUBLISHED", "dateUpdated": "2026-03-19T17:50:30.754Z", "dateReserved": "2026-02-16T16:42:05.774Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-03-19T17:11:16.507Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "E939FB01-9CDD-4A24-B5E9-6F7A8C984917", "versionEndExcluding": "8.19.12", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "F14ACA8C-46A2-42EF-9F63-AEF657C6736A", "versionEndExcluding": "9.2.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E90DE12-A5EC-4C3C-A86E-BF5AA0778628", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges."}], "id": "CVE-2026-26939", "lastModified": "2026-03-23T13:36:57.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}]}, "published": "2026-03-19T18:16:21.690", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "Kibana: Kibana: Unauthorized system control via missing authorization", "id": "2449144", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449144"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in Kibana. An authenticated attacker with rule management privileges could exploit a missing authorization vulnerability in the server-side Detection Rule Management. This allows the attacker to configure unauthorized endpoint response actions, such as host isolation, process termination, and process suspension. This could lead to a denial of service or impact on system integrity."], "name": "CVE-2026-26939", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-03-19T17:11:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26939\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26939\nhttps://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.2.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "9.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.19.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-03-23T15:06:46.779126+00:00", "value": {"mitigation_remediation": ["Apply the latest official Kibana security update released by Elastic for this CVE", "Restrict rule\u2011management permissions to trusted accounts only", "Verify that role\u2011based access controls are correctly enforced for endpoint\u2011response actions", "Monitor Kibana logs for unexpected changes to endpoint\u2011response configurations"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Elastic Kibana is affected. All Kibana installations lacking the latest security update are vulnerable, with specific references to releases 9.3.0 and earlier as indicated by the common product enumeration strings.", "description_and_impact": "The flaw is a missing authorization check in Kibana\u2019s server\u2011side Detection Rule Management that allows an authenticated attacker with rule\u2011management privileges to configure endpoint\u2011response actions such as host isolation, process termination, or suspension. This unauthorized configuration can compromise host integrity or cause denial of service by altering endpoint behavior.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Because exploitation requires an authenticated user with rule\u2011management privileges, the risk is limited to environments where such privileges are not tightly controlled; nevertheless, the potential to alter endpoint controls warrants prompt attention."}}}}, "created": "2026-03-20T08:56:34.304311+00:00", "updated": "2026-03-25T11:55:16.620446+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}