Scan free
MEDIUMCVE-2026-33458CVSS 6.8

CVE-2026-33458: Kibana SSRF Vulnerability (9.3.0-9.3.2)

Platform

nodejs

Component

kibana

Fixed in

9.3.3

AI Confidence: highNVDEPSS 0.1%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-33458 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kibana One Workflow. This flaw allows an authenticated user with workflow creation and execution privileges to bypass host allowlist restrictions, potentially leading to the exposure of sensitive internal endpoints and data. The vulnerability impacts Kibana versions 9.3.0 through 9.3.2. A patch is available in version 9.3.3.

Impact and Attack Scenarios

CVE-2026-33458 in Kibana One Workflow represents an information disclosure risk due to a Server-Side Request Forgery (SSRF) vulnerability. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions within the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. The CVSS severity score is 6.8, indicating a moderate risk. Addressing this vulnerability is crucial to protect the integrity and confidentiality of data within your Elasticsearch and Kibana environment. Successful exploitation requires authentication and specific privileges within Kibana, but the potential impact is significant.

Exploitation Context

An authenticated attacker with the necessary roles (workflow creation and execution) can manipulate a workflow configuration to make requests to internal hosts that would normally be out of Kibana's scope. This is achieved by exploiting inadequate URL validation within the workflows execution engine. The vulnerability centers on the ability to bypass the host allowlist, allowing the attacker to access internal services, read files, or even execute commands on vulnerable systems. The success of exploitation depends on the environment configuration and the presence of internal services accessible through the forged requests.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.05% (15% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N6.8MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentkibana
VendorElastic
Affected rangeFixed in
9.3.0 – 9.3.29.3.3

Weakness Classification (CWE)

CWE-918

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-33458 is to upgrade Kibana to version 9.3.3 or later. This update includes the fix that addresses the SSRF vulnerability. Additionally, review and strengthen access control policies within Kibana to limit user privileges to the minimum necessary. Monitoring Kibana logs for suspicious activity related to workflow execution can help detect and respond to potential exploitation attempts. Implementing a defense-in-depth strategy, including firewalls and intrusion detection systems, can provide additional layers of protection.

How to fix

Update Kibana to version 9.3.3 or later to mitigate the SSRF vulnerability. This update corrects how Kibana handles server-side requests, preventing the exposure of internal endpoints and sensitive data. See the Elastic release notes for detailed upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33458 — SSRF in Kibana?

SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make the server perform requests to resources the attacker controls. In this case, Kibana could be tricked into accessing internal resources.

Am I affected by CVE-2026-33458 in Kibana?

The 'workflow creation' and 'workflow execution' roles are required to exploit this vulnerability.

How do I fix CVE-2026-33458 in Kibana?

If you cannot upgrade immediately, consider restricting access to internal endpoints and monitoring Kibana logs for suspicious activity.

Is CVE-2026-33458 being actively exploited?

If you are using a version of Kibana prior to 9.3.3 and have One Workflow enabled, you are likely affected.

Where can I find the official Kibana advisory for CVE-2026-33458?

Refer to the official Elasticsearch and Kibana documentation for more details and updates on this vulnerability.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs