Introduction
Elastic's Kibana has now accumulated its third Server-Side Request Forgery vulnerability disclosure in 2026, and this latest one, CVE-2026-42398, specifically defeats the egress control mechanism that operators deploy to restrict where Kibana can send outbound requests. For organizations that have deliberately configured xpack.actions.allowedHosts as a security boundary, this vulnerability means that boundary can be bypassed by any authenticated user with connector management privileges, turning Kibana into a proxy for reaching internal services that were supposed to be off limits.
The vulnerability carries a CVSS 7.7 (High) score, driven primarily by the "Scope: Changed" designation, which reflects that the impact extends beyond Kibana itself to the network resources the allowlist was designed to protect. No workarounds are available; upgrading to Kibana 9.2.8 or 9.3.2 is the only remediation path.
Technical Information
Root Cause: Allowlist Validation Bypass in Webhook Connectors
CVE-2026-42398 is classified under CWE-918 (Server-Side Request Forgery), which OWASP elevated to the Top 10 in 2021 as A10:2021 due to its increasing prevalence in modern web applications. The vulnerability resides in Kibana's Webhook connector feature, a component that allows users to configure outbound HTTP integrations to external services.
Kibana provides an operator level configuration setting, xpack.actions.allowedHosts, that functions as an allowlist of permitted outbound destinations for connectors. When configured (i.e., not set to the wildcard * value), this setting is intended to enforce egress restrictions, preventing connectors from contacting unauthorized hosts. CVE-2026-42398 allows an authenticated user to craft a Webhook connector target that circumvents this validation logic entirely.
CVSS Vector Analysis
The full CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, which breaks down as follows:
| Component | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | Low | Authenticated user with connector management privileges |
| User Interaction | None | No victim interaction needed |
| Scope | Changed | Impact crosses a security boundary |
| Confidentiality | High | Total information disclosure from restricted targets |
| Integrity | None | No direct data modification |
| Availability | None | No direct availability impact |
The "Scope: Changed" designation is the critical element here. It indicates that the vulnerability's impact extends beyond the vulnerable component (Kibana) to affect resources in a different security scope, specifically the internal network services and endpoints that xpack.actions.allowedHosts was configured to protect.
Attack Flow
The exploitation sequence proceeds through four stages:
-
Authentication: The attacker authenticates to Kibana using credentials that grant connector management privileges. This could be a legitimate insider, a compromised account, or a user who has escalated privileges through another vulnerability.
-
Connector Configuration: The attacker creates or modifies a Webhook connector, specifying a crafted target URL designed to bypass the allowlist validation logic. The specific bypass technique has not been detailed in the public advisory, consistent with Elastic's responsible disclosure practices.
-
Execution: When the Webhook connector executes, Kibana issues an outbound HTTP request to the crafted destination. Because the allowlist check has been bypassed, the request reaches a host that the operator intended to block.
-
Data Exfiltration: The response from the restricted destination is returned to the attacker. This enables information disclosure from internal services, cloud metadata endpoints (such as
http://169.254.169.254/for AWS IMDSv1), Elasticsearch clusters, or other network segmented resources.
It is worth noting that the vulnerability is only exploitable when xpack.actions.allowedHosts is actively configured to restrict connections. Deployments using the wildcard * value have no allowlist boundary to bypass, though they face other SSRF related risks from unrestricted outbound access.
Known SSRF Bypass Techniques
While the exact bypass method used in CVE-2026-42398 has not been publicly disclosed, OWASP and security researchers have documented several common techniques that attackers use to circumvent SSRF allowlist protections:
- URL parser inconsistencies: Differences in how programming languages and libraries parse URLs can cause a URL that passes validation in one parser to be interpreted differently by the HTTP client, circumventing allowlist checks.
- DNS rebinding: A TOCTOU (time of check, time of use) attack where the attacker controls a domain that initially resolves to an allowed IP address during validation but switches to an internal IP address when the actual request is made.
- Open redirect chaining: Tools like r3dir enable bypass via open redirectors on trusted domains, forwarding requests from an initially allowed destination to an internal resource.
Scope Considerations
Kibana is typically deployed in environments with direct access to Elasticsearch clusters, which may contain sensitive log data, security event information, and business critical indices. A successful SSRF from Kibana could enable reconnaissance of these internal services, access to cloud provider metadata APIs, or interaction with other services on the internal network that trust requests originating from the Kibana server's IP address.
Affected Systems and Versions
The following Kibana versions are confirmed vulnerable:
| Affected Version Range | Fixed Version |
|---|---|
| Kibana 9.0.0 through 9.2.7 | 9.2.8 |
| Kibana 9.3.0 through 9.3.1 | 9.3.2 |
The vulnerability specifically affects deployments where xpack.actions.allowedHosts is configured to restrict outbound connections (not set to the wildcard *). Elastic Cloud Serverless deployments were automatically remediated through standard patching processes before public disclosure and require no manual action.
No configuration based workaround is documented in the advisory. Upgrading to a patched version is the sole remediation path.
Defense in Depth Recommendations
While patching is the only fix, organizations can apply OWASP recommended SSRF defense in depth measures to reduce risk:
- Network segmentation: Kibana servers should not have unrestricted access to sensitive internal network segments. Segment remote resource access functionality into separate networks to limit the blast radius of a successful SSRF.
- Deny by default firewall policies: Block all inbound and outbound traffic from Kibana except what is essential. Log both accepted and blocked network flows to detect anomalous outbound requests.
- Restrict connector management privileges: Limit the number of users granted connector management privileges to the minimum necessary, reducing the pool of potential attackers.
- Monitor audit logs: Review Kibana audit logs for Webhook connector creation and modification events, particularly connectors targeting unusual or internal destinations. The ESA-2026-28 advisory for a related Kibana SSRF provides applicable detection guidance: focus on HTTP step executions with redirect following behavior and monitor network egress traffic for connections to unexpected internal destinations.
- Disable HTTP redirections: At the network level, prevent Kibana from following HTTP redirects, which can be used in SSRF chain attacks.
Vendor Security History
The 2026 timeline for Kibana security advisories reveals a pattern that warrants attention. Elastic has published at least eight security advisories for Kibana in the first five months of 2026, with four of them addressing SSRF vulnerabilities:
| Advisory | Date | Vulnerability Type | Component |
|---|---|---|---|
| ESA-2026-05 | Jan 13, 2026 | SSRF + File Path Traversal | Google Grounded connector |
| ESA-2026-13 | Feb 2026 | Improper Input Validation (DoS) | Kibana |
| ESA-2026-17 | Feb 26, 2026 | SSRF | Workflow template engine |
| ESA-2026-20 | Mar 19, 2026 | Timelion prototype pollution | Kibana |
| ESA-2026-21 | Apr 2026 | Execution with Unnecessary Privileges | Kibana |
| ESA-2026-25 | Apr 8, 2026 | Fleet enrollment access | Kibana |
| ESA-2026-28 | Apr 8, 2026 | SSRF (CVE-2026-33458) | One Workflow |
| ESA-2026-37 | May 28, 2026 | SSRF (CVE-2026-42398) | Webhook connector |
The SSRF specific timeline is particularly telling:
| CVE / Advisory | Date | Component | Description |
|---|---|---|---|
| ESA-2026-05 | Jan 2026 | Google Grounded connector | SSRF via connector |
| ESA-2026-17 | Feb 2026 | Workflows template engine | SSRF via template injection |
| CVE-2026-33458 | Apr 2026 | One Workflow | SSRF bypassing host allowlist |
| CVE-2026-42398 | May 2026 | Webhook connector | SSRF bypassing connection allowlist |
This recurrence across different connector and workflow subsystems suggests that the URL validation and allowlist enforcement logic may share common design weaknesses. Point patches address individual bypass techniques, but the architectural commonality across these vulnerabilities raises the question of whether a more fundamental redesign of Kibana's outbound request handling is needed. Organizations should not assume that patching this single CVE fully addresses the SSRF risk in Kibana; close monitoring for future advisories is warranted.
Elastic operates as a CVE Numbering Authority (CNA) and maintains a consistent disclosure and patching process through its product security team and community forum security announcements. The high frequency of advisories demonstrates active security maintenance, but also indicates that Kibana's attack surface, particularly around connectors and workflows, remains a persistent source of vulnerabilities.
References
- NVD: CVE-2026-42398
- Elastic Security Advisory ESA-2026-37: Kibana 9.2.8 and 9.3.2 Security Update
- NVD: CVE-2026-33458 (Related Kibana SSRF)
- Elastic Security Advisory ESA-2026-17: Kibana 9.3.1 Security Update
- Elastic Security Advisory ESA-2026-05: Kibana Security Update
- Elastic Security Advisory ESA-2026-28: Kibana 9.3.3 Security Update
- Elastic Security Announcements
- Product Security at Elastic
- OWASP A10:2021 Server-Side Request Forgery
- OWASP SSRF Prevention Cheat Sheet
- Bypassing SSRF Filters Using r3dir (Leviathan Security)
- Elastic CVEs and Security Vulnerabilities (OpenCVE)
- SentinelOne: CVE-2026-33458 Kibana One Workflow SSRF



