Cyber Resilience

CVE-2026-33458

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0005 15.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33458 is a medium-severity SSRF (CWE-918) vulnerability in Elastic Kibana. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33458 is a Server-Side Request Forgery vulnerability (CWE-918) in Kibana One Workflow, specifically within the Workflows Execution Engine. This flaw enables bypassing host allowlist restrictions, potentially leading to information disclosure of sensitive internal endpoints and data. The vulnerability was published on 2026-04-08T18:26:00.267 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).

An authenticated attacker with low privileges, specifically workflow creation and execution permissions, can exploit this vulnerability over the network. Exploitation requires high attack complexity but has no user interaction and changes scope, allowing the attacker to achieve high-impact confidentiality violations by accessing restricted internal resources.

The Elastic Security Advisory ESA-2026-28, detailed at https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815, provides mitigation through the Kibana 9.3.3 security update.

EU & UK References

Vulnerability details

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

SSRF bypass of host allowlists directly enables querying internal endpoints for network config details, running services, and system information.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42398Same product: Elastic Kibana
CVE-2026-26937Same product: Elastic Kibana
CVE-2024-43707Same product: Elastic Kibana
CVE-2026-26938Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-26935Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana
CVE-2025-25015Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-26936Same product: Elastic Kibana

Affected Assets

elastic
kibana
9.3.0 — 9.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identification, reporting, testing, and installation of security updates like Kibana 9.3.3, directly remediating the SSRF flaw as specified in the Elastic Security Advisory.

prevent

AC-4 enforces information flow control policies, including host allowlists in the Workflows Execution Engine, preventing bypasses that enable SSRF to internal endpoints.

prevent

SI-10 mandates validation of information inputs to the workflow creation and execution processes, blocking malformed or malicious host specifications that trigger SSRF.

References