CVE-2026-33458
Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
7.7
HIGH
CVSS 3.1
EPSS 0.05%
Description
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
How to fix CVE-2026-33458
To remediate CVE-2026-33458, upgrade the affected package to a fixed version below.
- —upgrade to 9.3.3 or later
- —upgrade to 9.3.3 or later
Is CVE-2026-33458 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 9.3.0, < 9.3.3
- >= 9.3.0, < 9.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |