Skip to main content

Kibana CVE-2026-33464

| EUVDEUVD-2026-33010 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 elastic GHSA-r7m3-v6c2-v4vr
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 20:25 vuln.today

DescriptionCVE.org

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.

AnalysisAI

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.

Technical ContextAI

Kibana is Elastic's web-based data visualization and analytics frontend for Elasticsearch, widely deployed in enterprise SIEM, observability, and log analytics stacks. CWE-400 (Uncontrolled Resource Consumption) combined with CAPEC-130 (Excessive Allocation) indicates the root cause is an internal API endpoint that fails to enforce payload size or resource consumption limits. When an oversized payload is received, the Kibana Node.js process attempts to allocate the resources needed to process it, exhausting available memory or CPU and blocking all concurrent users until the process recovers or is restarted. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* uses a wildcard version, indicating the vulnerability spans a broad range of Kibana releases. The affected internal API is not publicly named in available data.

RemediationAI

Upgrade Kibana to a patched release per Elastic Security Advisory ESA-2026-32. Based on the advisory URL pattern, patched versions include 8.19.1, 9.3.5, and 9.4.1 - confirm the exact fix version applicable to your branch at https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-1-security-update-esa-2026-32/386548. As a compensating control prior to patching, enforce request body size limits at the reverse proxy or load balancer sitting in front of Kibana (e.g., nginx client_max_body_size or HAProxy maxreq) to prevent oversized payloads from reaching the application layer. Be aware that overly restrictive size limits may interfere with legitimate large dashboard exports or bulk data operations and should be tuned against observed traffic. Additionally, restrict Kibana access to the minimum necessary set of authenticated users and consider network-layer access controls (VPN, IP allowlisting) to reduce the population of users who can reach the internal API.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-33464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy