CVE-2026-33458

MEDIUM CVSS 6.3 View on NVD ↗

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815

Published: Apr 08, 2026 18:26 UTC Modified: Apr 08, 2026 21:26 UTC