CVE-2026-33458
Published: 08 April 2026
Summary
CVE-2026-33458 is a medium-severity SSRF (CWE-918) vulnerability in Elastic Kibana. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identification, reporting, testing, and installation of security updates like Kibana 9.3.3, directly remediating the SSRF flaw as specified in the Elastic Security Advisory.
AC-4 enforces information flow control policies, including host allowlists in the Workflows Execution Engine, preventing bypasses that enable SSRF to internal endpoints.
SI-10 mandates validation of information inputs to the workflow creation and execution processes, blocking malformed or malicious host specifications that trigger SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass of host allowlists directly enables querying internal endpoints for network config details, running services, and system information.
NVD Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Deeper analysisAI
CVE-2026-33458 is a Server-Side Request Forgery vulnerability (CWE-918) in Kibana One Workflow, specifically within the Workflows Execution Engine. This flaw enables bypassing host allowlist restrictions, potentially leading to information disclosure of sensitive internal endpoints and data. The vulnerability was published on 2026-04-08T18:26:00.267 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).
An authenticated attacker with low privileges, specifically workflow creation and execution permissions, can exploit this vulnerability over the network. Exploitation requires high attack complexity but has no user interaction and changes scope, allowing the attacker to achieve high-impact confidentiality violations by accessing restricted internal resources.
The Elastic Security Advisory ESA-2026-28, detailed at https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815, provides mitigation through the Kibana 9.3.3 security update.
Details
- CWE(s)