CVE-2026-33458

HIGH7.7EPSS 0.05%

Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure

Published: 4/13/2026Modified: 4/17/2026

Also known as:BIT-elk-2026-33458BIT-kibana-2026-33458

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

Affected packages (2)

Bitnami/elk>= 9.3.0, < 9.3.3
Bitnami/kibana>= 9.3.0, < 9.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (2)

WEBhttps://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-33458