Description
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Published: 2026-05-28
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Server‑Side Request Forgery in Kibana allows an attacker who has authenticated access with connector‑management privileges to override the operator‑configured linkage restriction list. By crafting a Webhook connector pointed at a non‑approved target, the victim can cause Kibana to generate HTTP requests to arbitrary internal destinations. This capability can expose confidential data, allow lateral movement, or permit exfiltration without the requester’s knowledge.

Affected Systems

Elastic’s Kibana product is affected. No specific versions were supplied in the advisory, therefore any Kibana installation with the connector‑management feature enabled is potentially vulnerable and should be treated as impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 7.7 classifies the flaw as high severity. Because exploitation requires a valid authenticated session with appropriate privileges, the attack surface is limited to users who already have a foothold in Kibana. The EPSS score is unavailable, but the lack of a KEV listing suggests no publicly known remote exploitation at the time. Nonetheless, the ability to bypass egress controls presents a serious threat to internal network integrity.

Generated by OpenCVE AI on May 28, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana security update from Elastic to remediate the flaw.
  • If immediate patching cannot be performed, revoke connector‑management permissions for users who do not require Webhook configuration, or temporarily disable Webhook connectors entirely.
  • Implement or enforce network‑level egress filters that block unexpected outbound destinations, ensuring that even if Kibana attempts requests, they are denied.

Generated by OpenCVE AI on May 28, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Title Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-05-29T16:47:26.181Z

Reserved: 2026-04-27T10:14:34.318Z

Link: CVE-2026-42398

cve-icon Vulnrichment

Updated: 2026-05-29T16:21:50.705Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:30.180

Modified: 2026-06-01T14:17:50.670

Link: CVE-2026-42398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:00:14Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)