VYPR
Medium severity6.3NVD Advisory· Published May 28, 2026· Updated Jun 1, 2026

CVE-2026-49093

CVE-2026-49093

Description

Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • Elastic/Kibanainferred3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*range: >=9.3.0,<9.3.3
    • (no CPE)range: <9.3.3
  • osv-coords2 versions
    >= 9.3.0, < 9.3.3+ 1 more
    • (no CPE)range: >= 9.3.0, < 9.3.3
    • (no CPE)range: >= 9.3.0, < 9.3.3

Patches

Vulnerability mechanics

References

1

News mentions

1