{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33458", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-03-20T10:53:23.099Z", "datePublished": "2026-04-08T16:47:58.462Z", "dateUpdated": "2026-04-08T19:22:33.432Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.3.2", "status": "affected", "version": "9.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.</p>"}], "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:47:58.462Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "source": {"discovery": "Elastic"}, "title": "Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:13:38.274501Z", "id": "CVE-2026-33458", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:33.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33458", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:13:38.274501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:14:08.795Z"}}], "cna": {"title": "Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.3.0", "versionType": "semver", "lessThanOrEqual": "9.3.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.", "supportingMedia": [{"type": "text/html", "value": "<p>Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:47:58.462Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33458", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:33.432Z", "dateReserved": "2026-03-20T10:53:23.099Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-04-08T16:47:58.462Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EE7B9F3-E587-498B-822D-785CB848F767", "versionEndExcluding": "9.3.3", "versionStartIncluding": "9.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data."}], "id": "CVE-2026-33458", "lastModified": "2026-04-13T11:30:33.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T18:26:00.267", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.3.0,9.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-13T12:21:02.111976+00:00", "value": {"mitigation_remediation": ["Upgrade Kibana to version 9.3.3 or later, which contains the fix for the SSRF issue. ", "If an upgrade is not immediately possible, restrict or disable the Kibana One Workflow feature for users lacking administrative privileges. ", "Re\u2011enable the host allowlist or apply tighter network segmentation to block internal endpoint access from the workflow execution engine."], "summary": {"action": "Apply Patch", "impact": "Information disclosure via SSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Elastic Kibana, specifically the Kibana One Workflow component. Versions in use that have not yet applied the latest security update are at risk.", "description_and_impact": "Server\u2011Side Request Forgery vulnerability in Kibana One Workflow allows an authenticated user with workflow creation and execution privileges to bypass the engine\u2019s host allowlist. The attacker can cause the system to fetch data from internal endpoints, exposing sensitive internal resources and data.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity. The EPSS score is below 1 percent, and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. However, because the attack requires privileges within workflows, the threat level rises for organizations that give users workflow creation rights and rely on internal endpoints that should be restricted. Exploitation would enable an attacker to read internal data without additional compromise."}}}}, "created": "2026-04-08T19:26:44.786191+00:00", "updated": "2026-04-13T14:25:08.295356+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}