Skip to main content

Elastic CVE-2026-26940

| EUVDEUVD-2026-13145 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-03-19 elastic
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 18:00 euvd
EUVD-2026-13145
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

AnalysisAI

A Denial of Service vulnerability exists in Kibana's Timelion visualization plugin that allows authenticated users to trigger excessive memory allocation through improper validation of specially crafted Timelion expressions. An attacker with valid Kibana credentials can overwrite internal series data properties with excessively large quantity values, causing the application to exhaust system resources and become unavailable. This is a network-accessible vulnerability requiring low privileges with a CVSS score of 6.5 and documented as a confirmed denial-of-service attack vector affecting multiple active Kibana versions.

Technical ContextAI

The vulnerability exists in the Timelion visualization component of Elastic Kibana (CPE: cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*), which is a time-series data visualization and analysis tool integrated into the Kibana platform. The root cause is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), indicating that the Timelion expression parser fails to validate or constrain numeric quantity parameters before processing them. When a user submits a specially crafted Timelion expression with an oversized quantity value, the plugin allocates internal memory buffers or data structures based on this unvalidated input without proper bounds checking. The attack mechanism falls under CAPEC-130 (Excessive Allocation), where resource exhaustion occurs through deliberate provision of large quantity values that exceed reasonable operational limits, causing the Kibana process to consume excessive heap memory and potentially trigger out-of-memory conditions that lead to service unavailability.

RemediationAI

Immediately upgrade Elastic Kibana to version 8.19.13 or later (if using the 8.x branch), version 9.2.7 or later (if using the 9.0-9.2 branch), or version 9.3.2 or later (if using the 9.3 branch) as documented in the official Elastic security advisory ESA-2026-20 (https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535). Until patching can be completed, implement the following compensating controls: restrict Kibana access to trusted internal users and networks via firewall rules and reverse proxy authentication; disable or restrict access to the Timelion visualization plugin if not actively used; monitor Kibana process memory and CPU usage for anomalous spikes that may indicate exploitation attempts; and audit Timelion query logs for suspicious expressions containing extremely large numeric values. Consider implementing rate limiting on Timelion expression submissions to further mitigate automated attack attempts.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Vendor StatusVendor

Share

CVE-2026-26940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy