Server-Side Request Forgery Vulnerability in Kibana by Elastic
CVE-2026-33458

6.8MEDIUM

Key Information:

Vendor: Elastic
Status: Kibana
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-33458?

A Server-Side Request Forgery (CWE-918) vulnerability exists in Kibana's One Workflow feature, enabling authenticated users with permissions to create and execute workflows to circumvent host allowlist controls. This could result in the exposure of sensitive internal endpoints and confidential data, posing significant risks to an organization's security posture.

Affected Version(s)

Kibana 9.3.0 <= 9.3.2

References

https://discuss.elastic.co/t/kibana-9-3-3-security-update...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33458 Data

JSON