CVE-2026-42398

HIGH7.7EPSS 0.03%

Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

發布日:2026/6/1修改日:2026/6/1

也稱為:BIT-elk-2026-42398BIT-kibana-2026-42398

描述

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

受影響套件(1)

Bitnami/elk>= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

參考連結(2)

WEBhttps://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-security-update-esa-2026-37/386557
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-42398