This vulnerability involves an SSRF issue (CWE-918) in the Kibana One Workflow component of Elastic Kibana 9.3.0. It allows an authenticated user with workflow creation and execution rights to circumvent host allowlist protections in the Workflows Execution Engine. This bypass can result in unauthorized access to internal network resources and sensitive information disclosure. The CVSS 3.1 base score is 6.8, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and impact limited to confidentiality. No patch or official remediation level has been published by Elastic as of the data provided.

The impact of this vulnerability is limited to information disclosure. An attacker who is authenticated and has workflow creation and execution privileges can bypass host allowlist restrictions, potentially accessing sensitive internal endpoints and data that should be protected. There is no indication of integrity or availability impact. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided by Elastic, users should monitor Elastic's advisories for updates. Until a patch is available, restrict workflow creation and execution privileges to trusted users only to reduce the risk of exploitation.