Skip to main content

Kibana CVE-2026-26934

MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-02-26 security@elastic.co
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 26, 2026 - 18:23 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.

AnalysisAI

Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Technical ContextAI

affects Kibana. Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in Kibana

View all
CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2025-25015 CRITICAL
9.9 Mar 05

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP

CVE-2018-17245 CRITICAL
9.8 Dec 20

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us

CVE-2025-25014 CRITICAL
9.1 May 06

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea

CVE-2019-7610 CRITICAL
9.0 Mar 25

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever

CVE-2024-12556 HIGH
8.7 Apr 08

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate

CVE-2024-37288 HIGH
8.8 Sep 09

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con

CVE-2023-31415 HIGH
8.8 May 04

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2023-31414 HIGH
8.8 May 04

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne

CVE-2026-26938 HIGH
8.6 Feb 26

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve

Share

CVE-2026-26934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy