CVE-2026-42398

HIGH7.7EPSS 0.03%

Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Published: 6/1/2026Modified: 6/1/2026

Also known as:BIT-elk-2026-42398BIT-kibana-2026-42398

Description

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

Affected packages (1)

Bitnami/elk>= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (2)

WEBhttps://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-security-update-esa-2026-37/386557
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-42398