EUVD-2026-33010
GHSA-r7m3-v6c2-v4vr
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
AnalysisAI
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level
Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators
Share
External POC / Exploit Code
Leaving vuln.today