CVE-2026-26938

HIGH8.6

Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)

Published Feb 26, 2026

Modified 5 days ago

Details

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

References

WEB

https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-26938

CVSS Analysis

CVSS v3.1

8.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

NoneI:N

Availability

NoneA:N

8.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Weakness Type (CWE)

Other

CWE-1336

Ecosystems

Timeline

PublishedFeb 26, 2026

ModifiedFeb 27, 2026