CVE-2026-49093
published 2026-05-28CVE-2026-49093: Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured…
PriorityP347high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.20%
9.9th percentile
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 9.3.0 < 9.3.3 | 9.3.3 |
| elastic | kibana | 9.3.0 – 9.3.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Elastic Kibana up to 9.3.2 Outbound Requests server-side request forgery (EUVD-2026-33035)
vuldb·2026-05-28·CVSS 6.3
CVE-2026-49093 [MEDIUM] Elastic Kibana up to 9.3.2 Outbound Requests server-side request forgery (EUVD-2026-33035)
A vulnerability was found in Elastic Kibana up to 9.3.2. It has been classified as critical. The impacted element is an unknown function of the component Outbound Requests Handler. Performing a manipulation results in server-side request forgery.
This vulnerability is known as CVE-2026-49093. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-qf29-h8cg-2hg4: Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured
ghsa_unreviewed·2026-05-28
CVE-2026-49093 [MEDIUM] CWE-918 GHSA-qf29-h8cg-2hg4: Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published