What is the CVSS score of CVE-2026-42398?

CVE-2026-42398 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Which versions of Kibana are affected by CVE-2026-42398?

Elastic Kibana contains a server-side request forgery vulnerability (CVSS 7.7) that allows authenticated users with connector management privileges to bypass security controls and access restricted…

Kibana CVE-2026-42398

EUVD-2026-33032 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-28 elastic

GHSA-43ww-gwmw-f89v

SSRF Elastic Kibana

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 21:28 vuln.today

DescriptionNVD

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

AnalysisAI

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypass operator-configured egress allowlists by crafting a Webhook connector with an arbitrary target. The flaw enables Kibana to issue outbound HTTP requests to internal or otherwise restricted destinations, exposing sensitive data accessible from the Kibana host. …

RemediationAI

Within 24 hours: Audit all Kibana instances and immediately restrict connector management privileges to essential administrators only; enable comprehensive audit logging of all webhook connector creation and modification. Within 7 days: Deploy network-level egress filtering on Kibana hosts to restrict outbound traffic to authorized external destinations and block all internal network ranges (RFC 1918 addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-42399 MEDIUM This Month

6.5 May 28

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc

CVE-2026-42400 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a

CVE-2026-49094 MEDIUM This Month

6.5 May 28

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level

CVE-2026-49095 MEDIUM This Month

6.5 May 28

Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators

CVE-2026-42398 vulnerability details – vuln.today

Back

Kibana CVE-2026-42398

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code