Description
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
Published: 2026-05-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server-side request forgery (CWE‑918) in Kibana. An attacker who is authenticated and has connector‑management rights can trick the Kibana server into sending HTTP requests to arbitrary URLs, overriding the operator‑configured allowlist. This allows the attacker to reach internal or otherwise blocked destinations, potentially exfiltrating data or accessing services that should be inaccessible from the web interface.

Affected Systems

The affected product is Elastic Kibana. Versions lacking the recent security update that removes the allowlist bypass are vulnerable. The information does not specify a minimum version, so any deployment of Kibana in which connector‑management privileges can be assigned should be considered susceptible until patched.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. Because the EPSS score is not available, the likelihood of exploitation cannot be measured precisely, but the fact that the flaw requires privileged access inside Kibana implies a lower probability in loosely secured installations. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to authenticate to Kibana, exercise a connector‑management operation that triggers an outbound request, and ensure that the target is reachable from the Kibana server, thereby circumventing any egress filtering that relies on the internal policy.

Generated by OpenCVE AI on May 28, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana security update that removes the allowlist bypass (e.g., upgrade to 9.3.3 or later).
  • Limit connector‑management privileges to only trusted administrators; consider disabling the feature or removing the ability to add connectors if not required.
  • Enforce a strict outbound allowlist at the network layer to block unexpected destinations even if the application bypasses the internal policy.
  • Implement logging and alerting for outbound requests originating from Kibana to monitor for potential SSRF exploitation.

Generated by OpenCVE AI on May 28, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
Title Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-05-29T16:47:16.755Z

Reserved: 2026-05-27T11:31:33.582Z

Link: CVE-2026-49093

cve-icon Vulnrichment

Updated: 2026-05-29T16:21:03.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:34.350

Modified: 2026-06-01T14:13:11.843

Link: CVE-2026-49093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)