CVE-2026-26938
Received Received - Intake
Template Injection in Kibana Workflows Enables SSRF, File Read

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: Elastic

Description
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26938
EUVD
EUVD-2026-8873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elastic kibana 9.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26938 is a high-severity vulnerability in Kibana's Workflows feature caused by improper neutralization of special elements in the template engine (CWE-1336)."}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated user with the workflowsManagement:executeWorkflow privilege to inject code that can read arbitrary files from the Kibana server filesystem and perform Server-Side Request Forgery (SSRF) attacks.'}, {'type': 'paragraph', 'content': 'The vulnerability exploits code injection techniques (CAPEC-242) within the Workflows feature, which is disabled by default in Kibana version 9.3.0 and fixed in version 9.3.1.'}] [1]

Impact Analysis

An attacker with valid authentication and the required privilege can exploit this vulnerability to read sensitive files on the Kibana server, potentially exposing confidential information.

Additionally, the attacker can perform Server-Side Request Forgery (SSRF) attacks, which may allow them to interact with internal systems or services that are otherwise inaccessible.

These impacts can lead to data breaches, unauthorized access to internal resources, and compromise of the server environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-26938, you should upgrade Kibana to version 9.3.1 where the vulnerability is fixed.

If upgrading is not immediately possible, disable the Workflows feature in Kibana, as it is disabled by default in version 9.3.0 and must be explicitly enabled in Advanced Settings.

Note that Elastic Cloud Serverless environments were patched prior to public disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart