Skip to main content

Elastic CVE-2026-33458

| EUVDEUVD-2026-20519 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 elastic
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20519
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 16:47 nvd
MEDIUM 6.3

DescriptionCVE.org

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

AnalysisAI

Server-Side Request Forgery in Kibana One Workflow allows authenticated users with workflow privileges to bypass host allowlist restrictions in the Workflows Execution Engine, enabling unauthorized access to sensitive internal endpoints and data disclosure. Affects Kibana versions 9.3.0 through 9.3.2. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in Kibana's Workflows Execution Engine, which implements host allowlist validation to restrict which endpoints workflows can reach. The SSRF flaw (CWE-918) permits authenticated workflow creators to craft malicious workflow definitions that circumvent these allowlist checks, enabling arbitrary requests to internal or restricted network resources. The attack requires the attacker to possess workflow creation and execution privileges within Kibana, meaning the vulnerability is restricted to authenticated users with specific role permissions rather than unauthenticated remote attackers. CPE designation cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* confirms the Elastic Kibana product line is affected across the impacted version range.

RemediationAI

Upgrade to Kibana version 9.3.3 or later, which resolves the SSRF vulnerability in the Workflows Execution Engine. This patch remedies the allowlist bypass and restores proper host restriction enforcement. Organizations unable to immediately upgrade should restrict workflow creation and execution privileges to only trusted administrative users and monitor workflow execution logs for suspicious requests to internal endpoints. Elastic's security advisory at https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 provides additional mitigation context.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-33458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy