How is CVE-2026-42398 exploited?

Network reachability (required): The attacker must be able to reach the Kibana service over the network; the CVSS vector specifies AV:N (network-adjacent or internet-exposed instances are in scope). Authentication (required): A low-privilege account with connector management rights is sufficient; no admin credentials are needed (PR:L). Victim interaction (not-required): No user interaction is required; the attacker acts entirely on their own without involving another party (UI:N). Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup.

What is the impact of CVE-2026-42398?

The attacker causes Kibana to issue outbound HTTP requests to internal network destinations that the egress allowlist was supposed to block, revealing the existence and reachability of those services. Internal service responses returned to the connector expose configuration details, API endpoints, or data that would otherwise be inaccessible from outside the network perimeter. Network topology information gathered through repeated SSRF probes can be used to map internal infrastructure and identify targets for follow-on attacks. Confidentiality impact is rated HIGH in the CVSS vector (C:H); integrity and availability are unaffected, so data is read but not modified or disrupted.

Back to search

HIGHCVE-2026-42398Published 2026-05-28Modified 2026-05-29CNA elastic

CVE-2026-42398: Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Server-Side Request Forgery (SSRF) in Kibana allows an authenticated user with connector management privileges to bypass the operator-configured connection allowlist. The vulnerability is reachable over the network and requires no admin-level account, only a low-privilege user who can manage Webhook connectors. Successful exploitation causes Kibana to issue outbound HTTP requests to internal or otherwise-blocked destinations, exposing network topology and internal service responses. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Elastic publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Kibana images. Any image running a Kibana version at or below 9.3.1 or 9.2.7 is flagged immediately on ingestion.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 HIGH using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the inbox configured for the relevant team within each customer org, with full vector detail attached.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Elastic advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix release appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Kibana service over the network; the CVSS vector specifies AV:N (network-adjacent or internet-exposed instances are in scope).
AuthenticationRequired
A low-privilege account with connector management rights is sufficient; no admin credentials are needed (PR:L).
Victim interactionNot required
No user interaction is required; the attacker acts entirely on their own without involving another party (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup.

Blast Radius

The attacker causes Kibana to issue outbound HTTP requests to internal network destinations that the egress allowlist was supposed to block, revealing the existence and reachability of those services.
Internal service responses returned to the connector expose configuration details, API endpoints, or data that would otherwise be inaccessible from outside the network perimeter.
Network topology information gathered through repeated SSRF probes can be used to map internal infrastructure and identify targets for follow-on attacks.
Confidentiality impact is rated HIGH in the CVSS vector (C:H); integrity and availability are unaffected, so data is read but not modified or disrupted.

How HarborGuard Handles This

Available on HarborGuard: because Elastic has not yet published a fix for CVE-2026-42398, HarborGuard monitors the advisory on every ingest cycle and will trigger patched-image rebuild availability the moment an upstream fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow automatically, with no manual steps required. In the meantime, compensating controls worth applying at the operator level include tightening Kibana's egress network policy to a strict allowlist at the infrastructure layer (not relying solely on Kibana's built-in allowlist), restricting connector management privileges to the smallest possible set of users, and enabling egress filtering at the container or service mesh level to block requests to RFC-1918 address ranges and internal metadata endpoints. HarborGuard will surface the advisory status on the affected image findings page and update it as Elastic publishes new information.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Elastic / Kibana
≤ 9.3.1 · ≤ 9.2.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

discuss.elastic.co