CVE-2026-26938

Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)

Description

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

INFO

Published Date :

2026-02-26T17:56:48.611Z

Last Modified :

2026-02-27T16:03:59.847Z

Source :

elastic

AFFECTED PRODUCTS

The following products are affected by CVE-2026-26938 vulnerability.

Vendors	Products
Elastic	Kibana

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26938.

URL	Resource
https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact