Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-26938
PUBLISHED
More InfoOfficial Page
Assigner-elastic
Assigner Org ID-271b6943-45a9-4f3a-ab4e-976f3fa05b5a
View Known Exploited Vulnerability (KEV) details
Published At-26 Feb, 2026 | 17:56
Updated At-27 Feb, 2026 | 16:03
Rejected At-
▼CVE Numbering Authority (CNA)
Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

Affected Products
Vendor
Elasticsearch BVElastic
Product
Kibana
Default Status
unaffected
Versions
Affected
  • From 9.3.0 through 9.3.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1336CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Type: CWE
CWE ID: CWE-1336
Description: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-242CAPEC-242 Code Injection
CAPEC ID: CAPEC-242
Description: CAPEC-242 Code Injection
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253
N/A
Hyperlink: https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found