CVE-2026-33458— Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33458
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Elastic Kibana 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Elastic Kibana是Elastic公司的一个可用数据可视化仪表板软件。 Elastic Kibana存在安全漏洞,该漏洞源于Kibana One工作流中的服务器端请求伪造,可能导致具有工作流创建和执行权限的经过身份验证的用户绕过主机允许列表限制,泄露敏感内部端点信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
II. Public POCs for CVE-2026-33458
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33458
请登录查看更多情报信息。
Same Patch Batch · Elastic · 2026-04-08 · 6 CVEs total
| CVE-2026-33466 | 8.1 HIGH | Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitra |
| CVE-2026-4498 | 7.7 HIGH | Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their |
| CVE-2026-33461 | 7.7 HIGH | Incorrect Authorization in Kibana Fleet Leading to Information Disclosure |
| CVE-2026-33459 | 6.5 MEDIUM | Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
| CVE-2026-33460 | 4.3 MEDIUM | Incorrect Authorization in Kibana Fleet Leading to Information Disclosure |
IV. Related Vulnerabilities
Same product: Kibana
- CVE-2026-33459
Uncontrolled Resource Consumption in Kibana Leading to Denia - CVE-2026-33460
Incorrect Authorization in Kibana Fleet Leading to Informati - CVE-2026-33461
Incorrect Authorization in Kibana Fleet Leading to Informati - CVE-2026-4498
Execution with Unnecessary Privileges in Kibana Leading to r - CVE-2026-26940
Improper Validation of Specified Quantity in Input in Kibana
Same vendor: Elastic
- CVE-2026-33467
Improper Verification of Cryptographic Signature in Elastic - CVE-2026-33466
Improper Limitation of a Pathname to a Restricted Directory - CVE-2026-33459
Uncontrolled Resource Consumption in Kibana Leading to Denia - CVE-2026-33460
Incorrect Authorization in Kibana Fleet Leading to Informati - CVE-2026-33461
Incorrect Authorization in Kibana Fleet Leading to Informati
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2026-33458
No comments yet