CVE-2026-33458
Received Received - Intake
Server-Side Request Forgery in Kibana Workflows Enables Data Disclosure

Publication date: 2026-04-08

Last updated on: 2026-04-13

Assigner: Elastic

Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33458
EUVD
EUVD-2026-20519
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elastic kibana From 9.3.0 (inc) to 9.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33458 is a Server-Side Request Forgery (SSRF) vulnerability in Kibana One Workflow versions 9.3.0 through 9.3.2. It allows an authenticated user who has privileges to create and execute workflows to bypass host allowlist restrictions in the Workflows Execution Engine. This means the user can make the system send requests to internal endpoints that are normally protected, potentially exposing sensitive internal data.

Impact Analysis

This vulnerability can lead to information disclosure by exposing sensitive internal endpoints and data that should be protected. An attacker with limited privileges can exploit this to access internal network resources, which could result in unauthorized access to confidential information. Monitoring workflow execution logs, audit logs, and network logs for unusual HTTP requests or redirects can help detect exploitation attempts.

Detection Guidance

This vulnerability can be detected by monitoring workflow execution logs and network activity related to Kibana's Workflows Execution Engine.

  • Review workflow execution logs for HTTP steps that result in redirect responses targeting internal hosts outside the allowlist.
  • Check Kibana audit logs for HTTP step executions that exhibit redirect-following behavior.
  • Monitor network logs for unexpected outbound connections from Kibana to internal hosts.

Suggested commands might include using tools like 'grep' or 'jq' to filter Kibana logs for suspicious HTTP redirect patterns, and network monitoring commands such as 'netstat', 'tcpdump', or 'wireshark' to detect unusual outbound connections.

Mitigation Strategies

The immediate mitigation step is to upgrade Kibana to version 9.3.3 or later, where this vulnerability has been resolved.

Additionally, if the Workflows Execution Engine is not required, consider disabling it to reduce exposure.

Compliance Impact

The vulnerability in Kibana One Workflow allows an authenticated user to bypass host allowlist restrictions, potentially exposing sensitive internal endpoints and data. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive and personal information from unauthorized access or disclosure.

Organizations using affected Kibana versions should consider this vulnerability a risk to their compliance posture, as unauthorized internal data exposure may violate regulatory requirements for data confidentiality and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart