How serious is CVE-2026-26938?

This vulnerability has a CVSS score of 7.7 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-26938?

CVE-2026-26938 affects elastic kibana. Check the full CVE details for specific version information.

How do I fix CVE-2026-26938?

To remediate CVE-2026-26938, check for security patches from elastic. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-26938

High

|7.7

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker with specific permissions in Kibana to read any file on the server and potentially make unauthorized requests to other servers. To exploit this, the attacker must be an authenticated user with the ability to execute workflows.

Technical Description

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactNone

Availability ImpactNone

ScopeChanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,474($1K-$5K)

Vendor Response

Grade APatched in 3 days

Quick Information

Published

Feb 26, 2026

about 1 month ago

Last Modified

Mar 2, 2026

about 1 month ago

Vendor

elastic

Product

kibana

Related Vulnerabilities

CVE-2026-26937High

This vulnerability allows an attacker to overload the Kibana service, causing it to become unresponsive, effectively leading to a Denial of Service. It can be exploited by sending specially crafted input data to the Timelion component, which means that the attacker needs to have access to the Kibana interface to trigger the issue.

CVE-2026-26936High

This vulnerability allows an attacker to cause Kibana to crash or become unresponsive by sending specially crafted input that triggers excessive processing in the system's regular expressions. To exploit this, the attacker needs access to the AI Inference Anonymization Engine, which may be exposed through user inputs or API calls.

CVE-2026-26935High

This vulnerability allows an attacker to crash the Kibana service by sending specially crafted input to its search feature, which can overwhelm the system. To exploit this, the attacker needs access to the internal Content Connectors endpoint, making it critical to secure that part of the application.

CVE-2026-26934Medium

An attacker with view-only access to Kibana can exploit this vulnerability to send specially crafted data that overwhelms the system, causing it to crash or become unresponsive. This means that even users who are not fully authorized can disrupt the service by manipulating input data.