Medium severity6.3NVD Advisory· Published May 28, 2026· Updated Jun 1, 2026
CVE-2026-49093
CVE-2026-49093
Description
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- osv-coords2 versions
>= 9.3.0, < 9.3.3+ 1 more
- (no CPE)range: >= 9.3.0, < 9.3.3
- (no CPE)range: >= 9.3.0, < 9.3.3
Patches
Vulnerability mechanics
References
1- discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-40/386562nvdVendor Advisory
News mentions
1- Kibana: Elastic Discloses 10 CVEs in a Single Day — SSRF, DoS, and Privilege EscalationVypr Intelligence · May 28, 2026