CVE-2026-42398 | THREATINT

Description

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

PUBLISHED Reserved 2026-04-27 | Published 2026-05-28 | Updated 2026-05-29 | Assigner elastic

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

9.3.0 (semver)

affected

9.0.0 (semver)

affected

References

discuss.elastic.co/...3-2-security-update-esa-2026-37/386557

cve.org (CVE-2026-42398)

nvd.nist.gov (CVE-2026-42398)

Download JSON