Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Affected Versions:
- 9.x: All versions from 9.3.0 up to and including 9.3.2
Affected Configurations:
Deployments running Kibana 9.3.x with the Workflows Execution Engine enabled. Exploitation requires an authenticated user with workflow creation and execution privileges.
Solutions and Mitigations:
The issue is resolved in version 9.3.3.
Indicators of Compromise (IOC)
Monitor workflow execution logs for HTTP step executions that result in redirect responses, particularly those targeting internal hosts not on the allowlist.
- Review Kibana audit logs for workflow execution activity, focusing on HTTP step executions with redirect-following behavior.
- Monitor network logs for outbound connections from Kibana to unexpected internal hosts.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.8 ) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE ID: CVE-2026-33458
Problem Type: CWE-918 - Server-Side Request Forgery (SSRF)