CVE-2026-26938
Template Injection in Kibana Workflows Enables SSRF, File Read
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | 9.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26938 is a high-severity vulnerability in Kibana's Workflows feature caused by improper neutralization of special elements in the template engine (CWE-1336)."}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated user with the workflowsManagement:executeWorkflow privilege to inject code that can read arbitrary files from the Kibana server filesystem and perform Server-Side Request Forgery (SSRF) attacks.'}, {'type': 'paragraph', 'content': 'The vulnerability exploits code injection techniques (CAPEC-242) within the Workflows feature, which is disabled by default in Kibana version 9.3.0 and fixed in version 9.3.1.'}] [1]
How can this vulnerability impact me? :
An attacker with valid authentication and the required privilege can exploit this vulnerability to read sensitive files on the Kibana server, potentially exposing confidential information.
Additionally, the attacker can perform Server-Side Request Forgery (SSRF) attacks, which may allow them to interact with internal systems or services that are otherwise inaccessible.
These impacts can lead to data breaches, unauthorized access to internal resources, and compromise of the server environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-26938, you should upgrade Kibana to version 9.3.1 where the vulnerability is fixed.
If upgrading is not immediately possible, disable the Workflows feature in Kibana, as it is disabled by default in version 9.3.0 and must be explicitly enabled in Advanced Settings.
Note that Elastic Cloud Serverless environments were patched prior to public disclosure.