CVE-2026-42398
EUVD-2026-3303228.05.2026, 21:16
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| elastic | kibana | 9.0.0 ≤ 𝑥 < 9.2.8 |
| elastic | kibana | 9.3.0 ≤ 𝑥 < 9.3.2 |
𝑥
= Vulnerable software versions