Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-accessible endpoint (AV:N), low-privilege auth required (PR:L), availability-only impact (A:H); no confidentiality, integrity, or scope-change effect.
Primary rating from Vendor (elastic).
CVSS VectorVendor: elastic
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.
AnalysisAI
Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Kibana user account with at least low-level privileges sufficient to access the bulk deletion functionality (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score reflects a network-accessible (AV:N), low-complexity (AC:L), low-privilege (PR:L) attack with high availability impact and no confidentiality or integrity consequences (C:N/I:N/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege Kibana account - such as a read/write analyst role in a shared SOC environment - crafts an oversized or malformed bulk deletion request and submits it to the Kibana API endpoint. The server processes the request without enforcing resource or size limits, consuming excessive memory or CPU. … |
| Remediation | Upgrade Kibana to version 8.19.15 (for 8.x deployments) or 9.3.4 (for 9.x deployments) per the vendor advisory at https://discuss.elastic.co/t/kibana-8-19-15-9-3-4-security-update-esa-2026-49. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are us
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine lea
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical sever
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rate
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document con
Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is re
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulne
Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana serve
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41088
GHSA-fv98-p2r6-2cjr