Skip to main content

Kibana EUVDEUVD-2026-33030

| CVE-2026-42400 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 elastic GHSA-mhgf-jqhm-p7p3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:32 vuln.today

DescriptionCVE.org

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.

AnalysisAI

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.

Technical ContextAI

Kibana (cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*) is Elastic's browser-based analytics and visualization frontend for Elasticsearch. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) triggered via CAPEC-130 (Excessive Allocation), a pattern commonly associated with decompression bomb attacks. HTTP request processing pipelines typically decompress encoded payloads (e.g., gzip, deflate, brotli) early in the middleware stack - before routing and authorization - to allow request bodies to be read by downstream handlers. In this case, a malicious compressed payload with a high compression ratio can expand to a size that exhausts heap memory or saturates CPU during decompression, all before Kibana's authorization layer has had the opportunity to validate the requester's permissions for the targeted endpoint. This ordering flaw means that even endpoints requiring elevated privileges are vulnerable to resource exhaustion from low-privileged authenticated users.

RemediationAI

Upgrade Kibana to a fixed release: version 8.19.16, 9.3.5, or 9.4.2, as detailed in Elastic security advisory ESA-2026-35 at https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-2-security-update-esa-2026-35/386554. If immediate patching is not feasible, the following compensating controls can reduce exposure: restrict Kibana access to the minimum necessary set of authenticated users by tightening role assignments and disabling self-service account creation, which limits the pool of potential attackers; place Kibana behind a reverse proxy or WAF configured to enforce maximum decompressed request body size limits (e.g., nginx client_max_body_size or equivalent), noting that this may reject legitimate large payloads and require tuning; and consider rate-limiting authenticated HTTP requests at the network perimeter to reduce the frequency of potential abuse. Network isolation of Kibana (e.g., not internet-facing) reduces but does not eliminate risk since the vulnerability only requires low-privilege authentication. No workaround fully eliminates the root cause; patching is the definitive fix.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

EUVD-2026-33030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy