{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33458", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-03-20T10:53:23.099Z", "datePublished": "2026-04-08T16:47:58.462Z", "dateUpdated": "2026-04-08T19:22:33.432Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.3.2", "status": "affected", "version": "9.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.</p>"}], "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:47:58.462Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "source": {"discovery": "Elastic"}, "title": "Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:13:38.274501Z", "id": "CVE-2026-33458", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:33.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33458", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:13:38.274501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:14:08.795Z"}}], "cna": {"title": "Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.3.0", "versionType": "semver", "lessThanOrEqual": "9.3.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.", "supportingMedia": [{"type": "text/html", "value": "<p>Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:47:58.462Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33458", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:33.432Z", "dateReserved": "2026-03-20T10:53:23.099Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-04-08T16:47:58.462Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data."}], "id": "CVE-2026-33458", "lastModified": "2026-04-08T18:26:00.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "security@elastic.co", "type": "Secondary"}]}, "published": "2026-04-08T18:26:00.267", "references": [{"source": "security@elastic.co", "url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.3.0,9.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-08T19:20:48.219611+00:00", "value": {"mitigation_remediation": ["Apply the latest Kibana security update released by Elastic, as referenced in the discussion forum.", "Restrict workflow creation and execution privileges to trusted users only.", "If an immediate patch is unavailable, disable external workflow execution or block the Kibana endpoint from untrusted networks until the update can be applied."], "summary": {"action": "Patch Now", "impact": "Information Disclosure via SSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Elastic's Kibana product. According to the referenced Elastic discussion forum, it applies to Kibana version 9.3.x and potentially earlier 9.x releases, but specific version information beyond that is not provided in the advisory.", "description_and_impact": "A server\u2011side request forgery flaw in Kibana One Workflow allows an authenticated user with workflow creation and execution rights to bypass the host allowlist enforced by the Workflows Execution Engine. By making Kibana resolve arbitrary internal URLs, the attacker can read data from otherwise protected endpoints and learn internal network details, constituting an information\u2011disclosure vulnerability identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.8 reflects a moderate severity. Exploitation requires the user to be authenticated and to possess permissions to create and execute workflows, limiting the threat surface to privileged accounts. The EPSS score is not available and the issue is not listed in CISA's KEV catalog; nevertheless, the potential to expose confidential internal data warrants prompt remediation."}}}}, "created": "2026-04-08T19:26:44.786191+00:00", "updated": "2026-04-08T19:39:00.551164+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}