Template Engine Vulnerability in Kibana by Elastic
CVE-2026-26938

8.6HIGH

Key Information:

Vendor: Elastic
Status: Kibana
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-26938?

A vulnerability exists in the workflow feature of Kibana by Elastic, where improper neutralization of special elements used in a template engine can lead to unauthorized access. An attacker with valid credentials and the appropriate privileges could exploit this flaw to read arbitrary files on the Kibana server's filesystem. Additionally, this vulnerability may allow for Server-Side Request Forgery (SSRF) through code injection, potentially compromising the integrity of the server environment.

Affected Version(s)

Kibana 9.3.0

References

https://discuss.elastic.co/t/kibana-9-3-1-security-update...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26938 Data

JSON