CVE-2026-26938
Published: 26 February 2026
Summary
CVE-2026-26938 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Elastic Kibana. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CWE-1336 by requiring validation of inputs to the Kibana workflow template engine to neutralize special elements and prevent code injection enabling file reads and SSRF.
Addresses the specific template engine flaw by requiring timely identification, reporting, and patching as per Elastic advisory ESA-2026-17 for Kibana 9.3.1.
Enforces least privilege to limit workflowsManagement:executeWorkflow access to only authorized users, reducing the attack surface for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Kibana web app directly enables T1190 exploitation; arbitrary file read impact maps to T1005 Data from Local System (SSRF enables internal discovery but lacks a single direct technique match).
NVD Description
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242).…
more
This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.
Deeper analysisAI
CVE-2026-26938 is an Improper Neutralization of Special Elements Used in a Template Engine vulnerability (CWE-1336) affecting Workflows in Kibana. Published on 2026-02-26, it enables arbitrary file reads from the Kibana server filesystem and Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
Exploitation requires an authenticated user possessing the workflowsManagement:executeWorkflow privilege. Such a user can leverage the flaw to access sensitive files on the Kibana server and conduct SSRF attacks, potentially targeting internal services or resources inaccessible from external networks.
The Elastic security advisory ESA-2026-17, available at https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253, addresses this vulnerability in Kibana 9.3.1 and provides details on patches and mitigation steps.
Details
- CWE(s)