CVE-2026-33458 | THREATINT

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

PUBLISHED Reserved 2026-03-20 | Published 2026-04-08 | Updated 2026-04-08 | Assigner elastic

MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

9.3.0 (semver)

affected

References

discuss.elastic.co/...3-3-security-update-esa-2026-28/385815

cve.org (CVE-2026-33458)

nvd.nist.gov (CVE-2026-33458)

Download JSON