EUVD-2026-33031
GHSA-hcw2-vpp7-52v9
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
AnalysisAI
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level
Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators
Share
External POC / Exploit Code
Leaving vuln.today