Home / Vulnerability Intelligence / CVE-2026-26938

CVE-2026-26938 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 2, 2026

Kibana - Template Injection

Published: February 26, 2026Updated: March 2, 2026Remote Exploitable

Overview

Kibana contains a template injection caused by improper neutralization of special elements in Workflows, letting authenticated attackers with workflowsManagement:executeWorkflow privilege read arbitrary files and perform SSRF via code injection.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 4.5%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can read arbitrary files and perform SSRF, potentially leading to sensitive data exposure and internal network access.

Mitigation

Update to the latest Kibana version with the fix applied.

References

https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🟠 CVE-2026-26938 - High (8.6) Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26938
Severity: High
CVSS Score: 8.6
Type: template_injection
Status: confirmed
EPSS: 4.5%
Social Posts: 1

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

4.5%Probability of exploitation in the next 30 days