CVE-2026-33458
Server-Side Request Forgery in Kibana Workflows Enables Data Disclosure
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 9.3.0 (inc) to 9.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33458 is a Server-Side Request Forgery (SSRF) vulnerability in Kibana One Workflow versions 9.3.0 through 9.3.2. It allows an authenticated user who has privileges to create and execute workflows to bypass host allowlist restrictions in the Workflows Execution Engine. This means the user can make the system send requests to internal endpoints that are normally protected, potentially exposing sensitive internal data.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by exposing sensitive internal endpoints and data that should be protected. An attacker with limited privileges can exploit this to access internal network resources, which could result in unauthorized access to confidential information. Monitoring workflow execution logs, audit logs, and network logs for unusual HTTP requests or redirects can help detect exploitation attempts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring workflow execution logs and network activity related to Kibana's Workflows Execution Engine.
- Review workflow execution logs for HTTP steps that result in redirect responses targeting internal hosts outside the allowlist.
- Check Kibana audit logs for HTTP step executions that exhibit redirect-following behavior.
- Monitor network logs for unexpected outbound connections from Kibana to internal hosts.
Suggested commands might include using tools like 'grep' or 'jq' to filter Kibana logs for suspicious HTTP redirect patterns, and network monitoring commands such as 'netstat', 'tcpdump', or 'wireshark' to detect unusual outbound connections.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Kibana to version 9.3.3 or later, where this vulnerability has been resolved.
Additionally, if the Workflows Execution Engine is not required, consider disabling it to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kibana One Workflow allows an authenticated user to bypass host allowlist restrictions, potentially exposing sensitive internal endpoints and data. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive and personal information from unauthorized access or disclosure.
Organizations using affected Kibana versions should consider this vulnerability a risk to their compliance posture, as unauthorized internal data exposure may violate regulatory requirements for data confidentiality and security.