Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 27, 2026
Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)
CVE-2026-26938
Description
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- osv-coords2 versions
>= 9.3.0, < 9.3.1+ 1 more
- (no CPE)range: >= 9.3.0, < 9.3.1
- (no CPE)range: >= 9.3.0, < 9.3.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.