CVE-2026-49093 | THREATINT

Description

Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.

PUBLISHED Reserved 2026-05-27 | Published 2026-05-28 | Updated 2026-05-29 | Assigner elastic

MEDIUM: 6.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

9.3.0 (semver)

affected

References

discuss.elastic.co/...3-3-security-update-esa-2026-40/386562

cve.org (CVE-2026-49093)

nvd.nist.gov (CVE-2026-49093)

Download JSON