{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26938", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-02-16T16:42:05.774Z", "datePublished": "2026-02-26T17:56:48.611Z", "dateUpdated": "2026-02-27T16:03:59.847Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.3.0", "status": "affected", "version": "9.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.</p>"}], "value": "Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:56:48.611Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253"}], "source": {"discovery": "Elastic"}, "title": "Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:03:50.471421Z", "id": "CVE-2026-26938", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:03:59.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T16:03:50.471421Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:03:55.940Z"}}], "cna": {"title": "Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.3.0", "versionType": "semver", "lessThanOrEqual": "9.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:56:48.611Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26938", "state": "PUBLISHED", "dateUpdated": "2026-02-27T16:03:59.847Z", "dateReserved": "2026-02-16T16:42:05.774Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-02-26T17:56:48.611Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E90DE12-A5EC-4C3C-A86E-BF5AA0778628", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege."}], "id": "CVE-2026-26938", "lastModified": "2026-03-02T15:40:36.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T19:32:39.903", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-17T14:18:11.488700+00:00", "value": {"mitigation_remediation": ["Upgrade Kibana to version\u00a09.3.1 or later to patch the template engine sanitization flaw.", "Restrict the workflowsManagement:executeWorkflow privilege to only trusted users and, if possible, remove it from default roles.", "Configure Kibana\u2019s outbound network settings or a firewall to block unintended SSRF targets and monitor workflow execution logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Server-Side Request Forgery with arbitrary file read"}, "threat_synthesis": {"affected_systems": "Elastic Kibana version 9.3.0, specifically the Workflows feature, is affected. An authenticated user possessing the workflowsManagement:executeWorkflow privilege is required to trigger the flaw. The reference advisory indicates that upgrade to Kibana 9.3.1 or later mitigates the issue.", "description_and_impact": "Improper neutralization of special elements in the Kibana Workflow template engine permits code injection, enabling a malicious actor to read any file on the Kibana server and perform server\u2011side request forgery. The vulnerability stems from insufficient sanitization of user\u2010supplied template content, a classic example of CWE\u20111336. Exploiting it can leak sensitive configuration data, compromise internal services, or expose unintended network resources.", "risk_and_exploitability": "The CVSS score of 8.6 classifies this flaw as high impact, capable of affecting confidentiality, integrity, and availability of the Kibana instance. The EPSS probability is listed as <1%, suggesting limited real\u2011world exploitation risk at the time of analysis. The vulnerability is not registered in CISA\u2019s KEV catalog. Attackers must be authenticated but can be external if credentials are compromised, and the flaw allows arbitrary file reads and SSRF to internal or external targets."}}}}, "created": "2026-02-27T09:07:14.650489+00:00", "updated": "2026-04-17T14:30:20.814875+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}