CVE-2026-26938 - Vulnerability Details

- Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)

Description

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

Published: 2026-02-26

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper neutralization of special elements in the Kibana Workflow template engine permits code injection, enabling a malicious actor to read any file on the Kibana server and perform server‑side request forgery. The vulnerability stems from insufficient sanitization of user‐supplied template content, a classic example of CWE‑1336. Exploiting it can leak sensitive configuration data, compromise internal services, or expose unintended network resources.

Affected Systems

Elastic Kibana version 9.3.0, specifically the Workflows feature, is affected. An authenticated user possessing the workflowsManagement:executeWorkflow privilege is required to trigger the flaw. The reference advisory indicates that upgrade to Kibana 9.3.1 or later mitigates the issue.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as high impact, capable of affecting confidentiality, integrity, and availability of the Kibana instance. The EPSS probability is listed as <1%, suggesting limited real‑world exploitation risk at the time of analysis. The vulnerability is not registered in CISA’s KEV catalog. Attackers must be authenticated but can be external if credentials are compromised, and the flaw allows arbitrary file reads and SSRF to internal or external targets.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Kibana

unaffected

Version	Status	Constraints
`9.3.0`	affected	≤ 9.3.0

Configuration 1 [-]

cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Elastic

Kibana

100%

Version	Status	Scheme	Platform
`[0,9.3.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kibana to version 9.3.1 or later to patch the template engine sanitization flaw.
Restrict the workflowsManagement:executeWorkflow privilege to only trusted users and, if possible, remove it from default roles.
Configure Kibana’s outbound network settings or a firewall to block unintended SSRF targets and monitor workflow execution logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253

History

Mon, 02 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elastic:kibana:9.3.0:::::::*

Fri, 27 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic kibana
Vendors & Products		Elastic Elastic kibana

Thu, 26 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.
Title		Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)
Weaknesses		CWE-1336
References		https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Elastic Kibana

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-02-26T17:56:48.611Z

Updated: 2026-02-27T16:03:59.847Z

Reserved: 2026-02-16T16:42:05.774Z

Link: CVE-2026-26938

Vulnrichment

Updated: 2026-02-27T16:03:55.940Z

NVD

Status : Analyzed

Published: 2026-02-26T19:32:39.903

Modified: 2026-03-02T15:40:36.893

Link: CVE-2026-26938

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses

CWE-1336

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object