PatchSiren cyber security CVE debrief
CVE-2026-42398 Elastic CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability in Kibana allows authenticated users with connector management privileges to bypass operator-configured egress restrictions. The flaw exists in the Webhook connector functionality, where crafted target configurations can cause Kibana to issue outbound requests to destinations that should be blocked by allowlist controls. This represents a scope change (S:C) in CVSS terms, as the vulnerable component impacts resources beyond its security authority. The vulnerability requires low attack complexity and low privileges, with no user interaction needed. Elastic has addressed this in Kibana versions 9.2.8 and 9.3.2 as part of security update ESA-2026-37. Organizations should prioritize patching instances where connector management is delegated to non-administrative users or where strict egress controls are mandated by policy.
- Vendor
- Elastic
- Product
- Kibana
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Kibana with delegated connector management privileges, particularly those in regulated environments with strict egress control requirements. Security teams operating multi-tenant Kibana instances where connector creation is exposed to non-administrative users. Infrastructure teams relying on Kibana's allowlist as a primary egress control mechanism.
Technical summary
The vulnerability stems from insufficient validation of Webhook connector target URLs against the configured connection allowlist. Authenticated users with connector management privileges can craft connector configurations that cause the Kibana server to initiate requests to arbitrary destinations, effectively bypassing operator-configured egress restrictions. This is a classic SSRF pattern where user-supplied input (the webhook URL) is used to construct server-side requests without adequate validation against an allowlist. The scope change (S:C) in the CVSS vector indicates successful exploitation can affect resources beyond the vulnerable component's security authority—specifically, internal infrastructure or cloud metadata endpoints that the Kibana server can reach but should not access per policy.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Kibana to version 9.2.8 or 9.3.2 or later to address ESA-2026-37
- Review and audit existing Webhook connector configurations for unauthorized destinations
- Restrict connector management privileges to administrative roles only as interim mitigation
- Implement network-layer egress filtering independent of application controls for defense in depth
- Monitor Kibana server logs for anomalous outbound connection attempts
Evidence notes
The vulnerability is classified as CWE-918 (Server-Side Request Forgery). CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The vendor evidence indicates Elastic as the affected vendor, with Kibana as the product. The security advisory reference confirms remediation versions 9.2.8 and 9.3.2.
Official resources
-
CVE-2026-42398 CVE record
CVE.org
-
CVE-2026-42398 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Elastic disclosed this vulnerability via their security advisory channel on 2026-05-28, with patches available for supported release branches.