Any more details from your security team on the vulnerability they've detected? If they saw it manually, what pages and elements were they looking at? Or if an automatic tool flagged Kibana as vulnerable, can you provide the output of the tool?
Send these details to https://www.elastic.co/community/security rather than posting the answers here.
I was under impression that this vulnerability was fixed in Kiaban 5.x+ versions.
That's still correct, the last known CSRF vulnerability isn't present in Kibana 5 or above. List of public vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-13554/product_id-31867/Elasticsearch-Kibana.html . So if there is no mistake and your team has detected a new one, please have them send details to that page ^ ASAP, your report would be much appreciated.