Skip to main content

Kibana CVE-2026-49093

| EUVDEUVD-2026-33035 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-28 elastic GHSA-qf29-h8cg-2hg4
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:30 vuln.today

DescriptionCVE.org

Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.

AnalysisAI

Server-Side Request Forgery in Kibana allows an authenticated user holding connector management privileges to bypass the operator-configured connector allowlist, forcing the Kibana server to issue outbound HTTP requests to destinations that egress controls were explicitly designed to block. The CVSS Changed Scope (S:C) combined with high confidentiality impact (C:H) means successful exploitation extends beyond Kibana itself, potentially exposing sensitive internal network resources such as cloud metadata services or internal APIs reachable from the Kibana host. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

Kibana (cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*) is Elastic's browser-based analytics and visualization platform. Its connector subsystem allows Kibana to integrate with external services - webhooks, email providers, ticketing systems, and similar - and operators can define an allowlist of permitted outbound destinations to enforce egress boundaries. CWE-918 (Server-Side Request Forgery) describes the root cause: user-controlled input reaches server-side HTTP request logic without sufficient validation, enabling an attacker to redirect the server's outbound calls to unintended targets. In this case the allowlist bypass specifically undermines an operator-level security control, meaning the vulnerability crosses a trust boundary between the application tier and the network perimeter, which is reflected in the Changed Scope (S:C) element of the CVSS vector.

RemediationAI

The primary fix is upgrading Kibana to version 9.3.3 or later, per Elastic security advisory ESA-2026-40 at https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-40/386562. If immediate patching is not feasible, restrict connector management privileges to a minimal set of highly trusted administrators - this directly reduces the population of accounts that could trigger the bypass, though it may break existing automation or alerting workflows relying on those privileges. As a complementary control, enforce egress filtering at the network or infrastructure layer (firewall ACLs or proxy policy) independent of Kibana's application-level allowlist; network-layer controls cannot be bypassed via application-layer SSRF and provide defense-in-depth regardless of patch status. Note that the exact fix version (9.3.3) is inferred from the advisory title and should be confirmed against the full Elastic advisory before deployment.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-49093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy