Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.
AnalysisAI
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.
Technical ContextAI
Kibana (cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*) is Elastic's browser-based analytics and visualization frontend for Elasticsearch. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) triggered via CAPEC-130 (Excessive Allocation), a pattern commonly associated with decompression bomb attacks. HTTP request processing pipelines typically decompress encoded payloads (e.g., gzip, deflate, brotli) early in the middleware stack - before routing and authorization - to allow request bodies to be read by downstream handlers. In this case, a malicious compressed payload with a high compression ratio can expand to a size that exhausts heap memory or saturates CPU during decompression, all before Kibana's authorization layer has had the opportunity to validate the requester's permissions for the targeted endpoint. This ordering flaw means that even endpoints requiring elevated privileges are vulnerable to resource exhaustion from low-privileged authenticated users.
RemediationAI
Upgrade Kibana to a fixed release: version 8.19.16, 9.3.5, or 9.4.2, as detailed in Elastic security advisory ESA-2026-35 at https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-2-security-update-esa-2026-35/386554. If immediate patching is not feasible, the following compensating controls can reduce exposure: restrict Kibana access to the minimum necessary set of authenticated users by tightening role assignments and disabling self-service account creation, which limits the pool of potential attackers; place Kibana behind a reverse proxy or WAF configured to enforce maximum decompressed request body size limits (e.g., nginx client_max_body_size or equivalent), noting that this may reject legitimate large payloads and require tuning; and consider rate-limiting authenticated HTTP requests at the network perimeter to reduce the frequency of potential abuse. Network isolation of Kibana (e.g., not internet-facing) reduces but does not eliminate risk since the vulnerability only requires low-privilege authentication. No workaround fully eliminates the root cause; patching is the definitive fix.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33030
GHSA-mhgf-jqhm-p7p3