CVE-2026-42398
Kibana Server-Side Request Forgery via Webhook Connector
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) issue in Kibana. It allows authenticated users who have connector management privileges to bypass the connection allowlist that the operator has configured. By setting up a Webhook connector with a specially crafted target, an attacker can make Kibana send outbound requests to destinations that should have been blocked by egress restrictions.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with certain privileges can cause Kibana to send requests to unauthorized external or internal destinations. This can lead to unauthorized data exposure or interaction with internal systems that were meant to be protected by egress controls. The vulnerability has a high confidentiality impact, meaning sensitive information could be disclosed, but it does not affect integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to bypass egress restrictions and send outbound requests to unauthorized destinations, potentially exposing confidential data.
This unauthorized outbound network access could lead to confidentiality breaches, which may impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive information.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Kibana deployment is running a vulnerable version (9.0.0 through 9.2.7 or 9.3.0 through 9.3.1) and if users with connector management privileges have configured Webhook connectors that bypass egress restrictions.
You can check the Kibana version by running the following command on the server hosting Kibana:
- curl -X GET "http://localhost:5601/api/status" -H "kbn-xsrf: true" | grep version
To detect suspicious outbound requests that bypass the allowlist, monitor network traffic for unexpected outbound connections from the Kibana server, especially those that should be blocked by the `xpack.actions.allowedHosts` setting.
You can use network monitoring tools or commands such as:
- tcpdump -i <interface> host <kibana-server-ip> and dst not in <allowed-hosts>
- netstat -anp | grep kibana
Additionally, review the configuration of Webhook connectors in Kibana to identify any crafted targets that could be used to bypass egress restrictions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Kibana to a patched version where this vulnerability is fixed.
- Upgrade to Kibana version 9.2.8 or later, or 9.3.2 or later.
If upgrading immediately is not possible, restrict connector management privileges to trusted users only and review or disable Webhook connectors that could be exploited.
Also, review and tighten the `xpack.actions.allowedHosts` setting to ensure outbound connections are properly restricted.