Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
AnalysisAI
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.
Technical ContextAI
Kibana's Timelion component is a legacy time-series visualization engine that uses a proprietary chained-function expression language to define data pipelines and transformations. The vulnerability (CWE-400, Uncontrolled Resource Consumption) exists in the server-side parsing or evaluation of these expressions: when function calls are nested or chained to arbitrary depth, the internally constructed data structure (likely a recursive AST or evaluation stack) grows without a depth or size limit, triggering the CAPEC-130 Excessive Allocation pattern. The CPE string cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* indicates the entire Kibana product line is in scope. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms this is a purely availability-impacting, network-reachable attack requiring only low privileges with no user interaction.
RemediationAI
The primary fix is to upgrade Kibana to version 8.19.16 or 9.3.5, as indicated by the Elastic security advisory ESA-2026-36 at https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-36/386556. Note that these fix versions are inferred from the advisory URL slug and should be confirmed against the full advisory content before deployment. If an immediate upgrade is not feasible, a targeted compensating control is to restrict the Timelion feature: administrators can limit Kibana role privileges to exclude Timelion visualization creation for untrusted or low-privileged users, reducing the attack surface to accounts that genuinely require it. Additionally, placing Kibana behind an authentication proxy and enforcing the principle of least privilege on Kibana roles limits which users can submit arbitrary Timelion expressions. Note that disabling Timelion access may affect analyst workflows that depend on time-series visualization expressions. Rate-limiting or request-size limits at the Kibana application or reverse-proxy layer may partially mitigate abuse but will not fully prevent a crafted small-payload expression from triggering exponential internal allocation.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33031
GHSA-hcw2-vpp7-52v9