CVE-2026-26938 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: February 26, 2026
Kibana - Template Injection
Published: February 26, 2026Updated: February 26, 2026Remote Exploitable
Overview
Kibana contains a template injection caused by improper neutralization of special elements in Workflows, letting authenticated attackers with workflowsManagement:executeWorkflow privilege read arbitrary files and perform SSRF via code injection.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Authenticated attackers can read arbitrary files and perform SSRF, potentially leading to sensitive data exposure and internal network access.
Mitigation
Update to the latest Kibana version with the fix applied.
Related Resources
Details
- CVE ID
- CVE-2026-26938
- Severity
- High
- CVSS Score
- 8.6
- Type
- template_injection
- Status
- new
CWE
- CWE-1336
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N