Server-Side Request Forgery in Kibana by Elastic
CVE-2026-49093

6.3MEDIUM

Key Information:

Vendor: Elastic
Status: Kibana
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-49093?

A Server-Side Request Forgery vulnerability in Kibana allows authenticated users with connector management permissions to bypass connector allowlist configurations. This flaw permits the Kibana server to execute outbound requests, potentially reaching destinations that are meant to be blocked by egress controls, thereby posing a risk to the integrity of the system.

Affected Version(s)

Kibana 9.3.0 <= 9.3.2

References

https://discuss.elastic.co/t/kibana-9-3-3-security-update...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 27, 2026

CVE-2026-49093 Data

JSON