Vulnerability Details CVE-2026-42398
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.2%
CVSS Severity
CVSS v3 Score 7.7
Products affected by CVE-2026-42398
-
cpe:2.3:a:elastic:kibana:9.0.0
-
cpe:2.3:a:elastic:kibana:9.0.1
-
cpe:2.3:a:elastic:kibana:9.0.2
-
cpe:2.3:a:elastic:kibana:9.0.3
-
cpe:2.3:a:elastic:kibana:9.0.4
-
cpe:2.3:a:elastic:kibana:9.0.5
-
cpe:2.3:a:elastic:kibana:9.0.6
-
cpe:2.3:a:elastic:kibana:9.0.7
-
cpe:2.3:a:elastic:kibana:9.0.8
-
cpe:2.3:a:elastic:kibana:9.1.0
-
cpe:2.3:a:elastic:kibana:9.1.1
-
cpe:2.3:a:elastic:kibana:9.1.10
-
cpe:2.3:a:elastic:kibana:9.1.2
-
cpe:2.3:a:elastic:kibana:9.1.3
-
cpe:2.3:a:elastic:kibana:9.1.4
-
cpe:2.3:a:elastic:kibana:9.1.5
-
cpe:2.3:a:elastic:kibana:9.1.6
-
cpe:2.3:a:elastic:kibana:9.1.7
-
cpe:2.3:a:elastic:kibana:9.1.8
-
cpe:2.3:a:elastic:kibana:9.1.9
-
cpe:2.3:a:elastic:kibana:9.2.0
-
cpe:2.3:a:elastic:kibana:9.2.1
-
cpe:2.3:a:elastic:kibana:9.2.2
-
cpe:2.3:a:elastic:kibana:9.2.3
-
cpe:2.3:a:elastic:kibana:9.2.4
-
cpe:2.3:a:elastic:kibana:9.2.5
-
cpe:2.3:a:elastic:kibana:9.2.6
-
cpe:2.3:a:elastic:kibana:9.2.7
-
cpe:2.3:a:elastic:kibana:9.3.0