Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
AnalysisAI
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.
Technical ContextAI
Kibana is Elastic's web-based data visualization and analytics frontend for Elasticsearch, widely deployed in enterprise SIEM, observability, and log analytics stacks. CWE-400 (Uncontrolled Resource Consumption) combined with CAPEC-130 (Excessive Allocation) indicates the root cause is an internal API endpoint that fails to enforce payload size or resource consumption limits. When an oversized payload is received, the Kibana Node.js process attempts to allocate the resources needed to process it, exhausting available memory or CPU and blocking all concurrent users until the process recovers or is restarted. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* uses a wildcard version, indicating the vulnerability spans a broad range of Kibana releases. The affected internal API is not publicly named in available data.
RemediationAI
Upgrade Kibana to a patched release per Elastic Security Advisory ESA-2026-32. Based on the advisory URL pattern, patched versions include 8.19.1, 9.3.5, and 9.4.1 - confirm the exact fix version applicable to your branch at https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-1-security-update-esa-2026-32/386548. As a compensating control prior to patching, enforce request body size limits at the reverse proxy or load balancer sitting in front of Kibana (e.g., nginx client_max_body_size or HAProxy maxreq) to prevent oversized payloads from reaching the application layer. Be aware that overly restrictive size limits may interfere with legitimate large dashboard exports or bulk data operations and should be tuned against observed traffic. Additionally, restrict Kibana access to the minimum necessary set of authenticated users and consider network-layer access controls (VPN, IP allowlisting) to reduce the population of users who can reach the internal API.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33010
GHSA-r7m3-v6c2-v4vr