Main Vulnerability Database Vulnerabilities #VU121290

#VU121290 Server-Side Request Forgery (SSRF) in Kibana - CVE-2026-0532

Published: January 13, 2026

Vulnerability identifier: #VU121290

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-0532

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Kibana

Software vendor:
Elastic Stack

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted a specially crafted credentials JSON payload in the Google Gemini connector configuration and read contents of arbitrary files on the system or initiate requests to internal system.

Remediation

Install updates from vendor's website.

External links

https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524

#VU121290 Server-Side Request Forgery (SSRF) in Kibana - CVE-2026-0532

Description

Remediation

External links

Please verify you're human