CVE-2026-33458 — Server-Side Request Forgery in Kibana

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

7.7HIGHNVD

CNA6.3

EPSS

0.1%

top 84.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedApr 8

Description

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶NVDelastic/kibana9.3.0 — 9.3.3

▶CVEListV5elastic/kibana9.3.0 — 9.3.2

🔴Vulnerability Details

GHSA

GHSA-grxp-xwh4-267v: Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure↗2026-04-08

▶

CVEList

Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure↗2026-04-08

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33458 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶