CVE-2026-49093 Elastic CVE debrief

Who should care

Organizations running Kibana with connector management features enabled, particularly those relying on allowlist-based egress controls for compliance or security isolation. Security teams responsible for SSRF prevention and infrastructure segmentation should prioritize review.

Technical summary

The vulnerability exists in Kibana's connector management functionality where an authenticated user with appropriate privileges can manipulate connector configurations to circumvent operator-defined allowlists. This SSRF weakness (CWE-918) permits the Kibana server to initiate requests to unauthorized external destinations, potentially exposing internal infrastructure or enabling data exfiltration. The attack requires network access to Kibana, low-privileged authenticated access, and has high attack complexity. The vulnerability has changed scope impact (S:C) with high confidentiality impact but no integrity or availability impact per the CVSS vector.

Defensive priority

medium

Recommended defensive actions

• Review Kibana connector management configurations and verify allowlist enforcement
• Apply Kibana 9.3.3 security update or later patched version
• Audit connector management privileges and restrict to necessary personnel only
• Monitor outbound network traffic from Kibana servers for unexpected destinations
• Validate egress controls are functioning as intended after patching

Evidence notes

Vulnerability description sourced from NVD record with CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Vendor attribution to Elastic based on reference domain evidence with low confidence flag for review. Official security advisory reference confirms Kibana 9.3.3 security update ESA-2026-40.

Official resources