Platform
nodejs
Component
kibana
Fixed in
9.3.3
CVE-2026-33458 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kibana One Workflow. This flaw allows an authenticated user with workflow creation and execution privileges to bypass host allowlist restrictions, potentially leading to the exposure of sensitive internal endpoints and data. The vulnerability impacts Kibana versions 9.3.0 through 9.3.2. A patch is available in version 9.3.3.
CVE-2026-33458 in Kibana One Workflow represents an information disclosure risk due to a Server-Side Request Forgery (SSRF) vulnerability. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions within the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. The CVSS severity score is 6.8, indicating a moderate risk. Addressing this vulnerability is crucial to protect the integrity and confidentiality of data within your Elasticsearch and Kibana environment. Successful exploitation requires authentication and specific privileges within Kibana, but the potential impact is significant.
An authenticated attacker with the necessary roles (workflow creation and execution) can manipulate a workflow configuration to make requests to internal hosts that would normally be out of Kibana's scope. This is achieved by exploiting inadequate URL validation within the workflows execution engine. The vulnerability centers on the ability to bypass the host allowlist, allowing the attacker to access internal services, read files, or even execute commands on vulnerable systems. The success of exploitation depends on the environment configuration and the presence of internal services accessible through the forged requests.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33458 is to upgrade Kibana to version 9.3.3 or later. This update includes the fix that addresses the SSRF vulnerability. Additionally, review and strengthen access control policies within Kibana to limit user privileges to the minimum necessary. Monitoring Kibana logs for suspicious activity related to workflow execution can help detect and respond to potential exploitation attempts. Implementing a defense-in-depth strategy, including firewalls and intrusion detection systems, can provide additional layers of protection.
Update Kibana to version 9.3.3 or later to mitigate the SSRF vulnerability. This update corrects how Kibana handles server-side requests, preventing the exposure of internal endpoints and sensitive data. See the Elastic release notes for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make the server perform requests to resources the attacker controls. In this case, Kibana could be tricked into accessing internal resources.
The 'workflow creation' and 'workflow execution' roles are required to exploit this vulnerability.
If you cannot upgrade immediately, consider restricting access to internal endpoints and monitoring Kibana logs for suspicious activity.
If you are using a version of Kibana prior to 9.3.3 and have One Workflow enabled, you are likely affected.
Refer to the official Elasticsearch and Kibana documentation for more details and updates on this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.