Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
Affected Versions:
- 9.x: All versions from 9.3.0 up to and including 9.3.2
Affected Configurations:
- This issue applies to Kibana deployments where
xpack.actions.allowedHostsis configured to a non-wildcard value as a network egress control. Deployments using the default ["*"] setting do not enforce an allowlist and are not affected by the bypass described in this advisory.
Solutions and Mitigations:
The issue is resolved in versions 9.3.3.
For Users that Cannot Upgrade:
- Restrict connector management privileges
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.3 ) - AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE ID: CVE-2026-49093
Problem Type: CWE-918 - Server-Side Request Forgery (SSRF)