Skip to main content

Kibana CVE-2026-42399

| EUVDEUVD-2026-33031 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 elastic GHSA-hcw2-vpp7-52v9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:32 vuln.today

DescriptionCVE.org

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.

AnalysisAI

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.

Technical ContextAI

Kibana's Timelion component is a legacy time-series visualization engine that uses a proprietary chained-function expression language to define data pipelines and transformations. The vulnerability (CWE-400, Uncontrolled Resource Consumption) exists in the server-side parsing or evaluation of these expressions: when function calls are nested or chained to arbitrary depth, the internally constructed data structure (likely a recursive AST or evaluation stack) grows without a depth or size limit, triggering the CAPEC-130 Excessive Allocation pattern. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* indicates the entire Kibana product line is in scope. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms this is a purely availability-impacting, network-reachable attack requiring only low privileges with no user interaction.

RemediationAI

The primary fix is to upgrade Kibana to version 8.19.16 or 9.3.5, as indicated by the Elastic security advisory ESA-2026-36 at https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-36/386556. Note that these fix versions are inferred from the advisory URL slug and should be confirmed against the full advisory content before deployment. If an immediate upgrade is not feasible, a targeted compensating control is to restrict the Timelion feature: administrators can limit Kibana role privileges to exclude Timelion visualization creation for untrusted or low-privileged users, reducing the attack surface to accounts that genuinely require it. Additionally, placing Kibana behind an authentication proxy and enforcing the principle of least privilege on Kibana roles limits which users can submit arbitrary Timelion expressions. Note that disabling Timelion access may affect analyst workflows that depend on time-series visualization expressions. Rate-limiting or request-size limits at the Kibana application or reverse-proxy layer may partially mitigate abuse but will not fully prevent a crafted small-payload expression from triggering exponential internal allocation.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-42399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy