CVE-2026-33458
HIGH WAF: Medium
CVSS 7.7
Published: 2026-04-08
CWE-918
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| elastic | kibana | 9.3.0 - 9.3.3 |
References
- discuss.elastic.co (Vendor Advisory)