CVE-2026-42398
published 2026-05-28CVE-2026-42398: Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection…
PriorityP349high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.30%
21.6th percentile
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 9.0.0 < 9.2.8 | 9.2.8 |
| elastic | kibana | 9.0.0 – 9.2.7 | — |
| elastic | kibana | >= 9.3.0 < 9.3.2 | 9.3.2 |
| elastic | kibana | 9.3.0 – 9.3.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-43ww-gwmw-f89v: Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured conn
ghsa_unreviewed·2026-05-28
CVE-2026-42398 [HIGH] CWE-918 GHSA-43ww-gwmw-f89v: Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured conn
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
VulDB
Elastic Kibana up to 9.2.7/9.3.1 Outbound Requests server-side request forgery
vuldb·2026-05-28·CVSS 7.7
CVE-2026-42398 [HIGH] Elastic Kibana up to 9.2.7/9.3.1 Outbound Requests server-side request forgery
A vulnerability described as critical has been identified in Elastic Kibana up to 9.2.7/9.3.1. Affected by this vulnerability is an unknown functionality of the component Outbound Requests Handler. Such manipulation leads to server-side request forgery.
This vulnerability is listed as CVE-2026-42398. The attack may be performed from remote. There is no available exploit.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published