EUVD-2026-33030
GHSA-mhgf-jqhm-p7p3
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.
AnalysisAI
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level
Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators
Share
External POC / Exploit Code
Leaving vuln.today