CVE-2026-33458

MEDIUM NVD

CVSS Score 6.3

Severity MEDIUM

Published Apr 08, 2026

Vendor unknown

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

References

https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815