Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Published: 2026-04-08
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via SSRF
Action: Apply Patch
AI Analysis

Impact

Server‑Side Request Forgery vulnerability in Kibana One Workflow allows an authenticated user with workflow creation and execution privileges to bypass the engine’s host allowlist. The attacker can cause the system to fetch data from internal endpoints, exposing sensitive internal resources and data.

Affected Systems

The vulnerability affects Elastic Kibana, specifically the Kibana One Workflow component. Versions in use that have not yet applied the latest security update are at risk.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. The EPSS score is below 1 percent, and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. However, because the attack requires privileges within workflows, the threat level rises for organizations that give users workflow creation rights and rely on internal endpoints that should be restricted. Exploitation would enable an attacker to read internal data without additional compromise.

Generated by OpenCVE AI on April 13, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kibana to version 9.3.3 or later, which contains the fix for the SSRF issue.
  • If an upgrade is not immediately possible, restrict or disable the Kibana One Workflow feature for users lacking administrative privileges.
  • Re‑enable the host allowlist or apply tighter network segmentation to block internal endpoint access from the workflow execution engine.

Generated by OpenCVE AI on April 13, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Title Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-08T19:22:33.432Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33458

cve-icon Vulnrichment

Updated: 2026-04-08T19:14:08.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T18:26:00.267

Modified: 2026-04-13T11:30:33.800

Link: CVE-2026-33458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:08Z

Weaknesses