Server-Side Request Forgery Vulnerability in Kibana by Elastic
CVE-2026-42398

7.7HIGH

Key Information:

Vendor: Elastic
Status: Kibana
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-42398?

A Server-Side Request Forgery vulnerability exists in Kibana that allows authenticated users with connector management privileges to circumvent the operator-configured connection allowlist. By creating a crafted Webhook connector, an attacker can manipulate Kibana into making outbound requests to blocked destinations, compromising the intended egress restrictions. This vulnerability can lead to unauthorized access and potential data exposure, highlighting the need for immediate attention from administrators to secure affected installations.

Affected Version(s)

Kibana 9.3.0 <= 9.3.1

Kibana 9.0.0 <= 9.2.7

References

https://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-secur...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42398 Data

JSON