Cyber Resilience

CVE-2026-26938

High

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0025 16.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26938 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Elastic Kibana. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26938 is an Improper Neutralization of Special Elements Used in a Template Engine vulnerability (CWE-1336) affecting Workflows in Kibana. Published on 2026-02-26, it enables arbitrary file reads from the Kibana server filesystem and Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Exploitation requires an authenticated user possessing the workflowsManagement:executeWorkflow privilege. Such a user can leverage the flaw to access sensitive files on the Kibana server and conduct SSRF attacks, potentially targeting internal services or resources inaccessible from external networks.

The Elastic security advisory ESA-2026-17, available at https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253, addresses this vulnerability in Kibana 9.3.1 and provides details on patches and mitigation steps.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242).…

more

This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in public-facing Kibana web app directly enables T1190 exploitation; arbitrary file read impact maps to T1005 Data from Local System (SSRF enables internal discovery but lacks a single direct technique match).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-43707Same product: Elastic Kibana
CVE-2026-42398Same product: Elastic Kibana
CVE-2025-25015Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana
CVE-2026-26935Same product: Elastic Kibana
CVE-2026-26937Same product: Elastic Kibana
CVE-2026-33458Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-26936Same product: Elastic Kibana

Affected Assets

elastic
kibana
9.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CWE-1336 by requiring validation of inputs to the Kibana workflow template engine to neutralize special elements and prevent code injection enabling file reads and SSRF.

prevent

Addresses the specific template engine flaw by requiring timely identification, reporting, and patching as per Elastic advisory ESA-2026-17 for Kibana 9.3.1.

prevent

Enforces least privilege to limit workflowsManagement:executeWorkflow access to only authorized users, reducing the attack surface for authenticated exploitation.

References