CVE-2026-0528
MEDIUM
GHSA-w2gr-585j-r428
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.
Analysis
Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads to Graphite, Zookeeper, or Prometheus data sources due to improper array index validation and input validation flaws. An unauthenticated attacker on the network can exploit this to crash monitoring services without user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running Metricbeat can allow an attacker to cause a Denial of Servic and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today