Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Published: 2026-04-08
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: Information Disclosure via SSRF
Action: Patch Now
AI Analysis

Impact

A server‑side request forgery flaw in Kibana One Workflow allows an authenticated user with workflow creation and execution rights to bypass the host allowlist enforced by the Workflows Execution Engine. By making Kibana resolve arbitrary internal URLs, the attacker can read data from otherwise protected endpoints and learn internal network details, constituting an information‑disclosure vulnerability identified as CWE‑918.

Affected Systems

The vulnerability affects Elastic's Kibana product. According to the referenced Elastic discussion forum, it applies to Kibana version 9.3.x and potentially earlier 9.x releases, but specific version information beyond that is not provided in the advisory.

Risk and Exploitability

The CVSS score of 6.8 reflects a moderate severity. Exploitation requires the user to be authenticated and to possess permissions to create and execute workflows, limiting the threat surface to privileged accounts. The EPSS score is not available and the issue is not listed in CISA's KEV catalog; nevertheless, the potential to expose confidential internal data warrants prompt remediation.

Generated by OpenCVE AI on April 8, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana security update released by Elastic, as referenced in the discussion forum.
  • Restrict workflow creation and execution privileges to trusted users only.
  • If an immediate patch is unavailable, disable external workflow execution or block the Kibana endpoint from untrusted networks until the update can be applied.

Generated by OpenCVE AI on April 8, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Title Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-08T19:22:33.432Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33458

cve-icon Vulnrichment

Updated: 2026-04-08T19:14:08.795Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:26:00.267

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:00Z

Weaknesses