Skip to main content

Kibana CVE-2026-42398

| EUVDEUVD-2026-33032 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-28 elastic GHSA-43ww-gwmw-f89v
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:28 vuln.today

DescriptionCVE.org

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

AnalysisAI

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypass operator-configured egress allowlists by crafting a Webhook connector with an arbitrary target. The flaw enables Kibana to issue outbound HTTP requests to internal or otherwise restricted destinations, exposing sensitive data accessible from the Kibana host. No public exploit identified at time of analysis, and the vulnerability is not present on the CISA KEV list.

Technical ContextAI

The vulnerability lives in Kibana's Actions/Connectors subsystem, specifically the Webhook connector that lets administrators wire alerting and case workflows to external HTTP endpoints. Operators can configure a connection allowlist (xpack.actions.allowedHosts / customHostSettings) intended to constrain which destinations Kibana may contact from its server-side process. CWE-918 (Server-Side Request Forgery) is the root cause class: input controlling an outbound request destination is not adequately validated against the allowlist, so a crafted connector configuration causes the Kibana node process to issue requests on behalf of the attacker to destinations the operator explicitly tried to block, including potentially cloud metadata services, internal management planes, or other intranet hosts reachable from the Kibana server.

RemediationAI

The primary fix is to upgrade Kibana to a vendor-released patched version - 9.2.8 on the 9.2 branch or 9.3.2 on the 9.3 branch, per Elastic advisory ESA-2026-37 at https://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-security-update-esa-2026-37/386557. Where immediate patching is not possible, compensating controls include revoking the connector management Kibana privilege from non-administrator roles (this disables alerting/cases connector creation for those users but contains the attack surface to fully trusted operators), placing Kibana behind an egress proxy or network firewall that enforces destination allowlisting at L3/L4 independently of Kibana's in-app allowlist (which adds operational overhead and may break legitimate webhook destinations), and blocking Kibana's outbound access to cloud instance metadata endpoints (169.254.169.254, fd00:ec2::254) and internal management CIDRs to neutralize the highest-impact SSRF pivots.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-42398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy