4 matches found
BIT-KIBANA-2026-4498 Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...
PT-2026-32433
Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...
CVE-2026-4498
CVE-2026-4498 concerns Kibana, specifically the Fleet plugin, where execution with unnecessary privileges arises from Kibana’s Fleet debug route handlers. An authenticated Kibana user with Fleet sub-feature privileges (e.g., agents, agent policies, settings management) can read index data beyond ...
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Impact Unauthorized access or privilege escalation due to a logic flaw in auth in the App Router or getAuth in the Pages Router. Affected Versions All applications that that use @clerk/nextjs versions in the range of = 4.7.0, 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or...