CVE-2026-49093

MEDIUM6.3EPSS 0.03%

Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Published: 6/1/2026Modified: 6/1/2026

Description

Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.

Affected packages (1)

Bitnami/elk>= 9.3.0, < 9.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References (2)

WEBhttps://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-40/386562
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-49093