Skip to main content

Kibana EUVDEUVD-2026-33034

| CVE-2026-49094 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 elastic GHSA-q4c9-4pm6-jq34
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:30 vuln.today

DescriptionCVE.org

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

AnalysisAI

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level access to render the service completely unavailable. By submitting a request containing an oversized input value, the attacker causes Kibana to consume excessive CPU and memory, crashing the service for all users and requiring manual intervention to restore. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low privilege bar - viewer access only - significantly elevates real-world risk in multi-tenant or SaaS Elastic deployments.

Technical ContextAI

Kibana is Elastic's browser-based analytics and visualization interface for the Elastic Stack (Elasticsearch, Logstash, Kibana). The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption) triggered via CAPEC-130 (Excessive Allocation): the analytics collections management endpoint fails to impose adequate bounds on input size before allocating compute and memory resources to process the request. The affected product is identified by CPE cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*, with the wildcard version indicating the vulnerability affects a broad range of Kibana releases prior to the patched version referenced in the advisory. There is no scope change (S:U), meaning the impact is confined to the Kibana process itself rather than escaping to the underlying host or Elasticsearch cluster.

RemediationAI

Upgrade Kibana to version 8.19.16 or later, as referenced in Elastic security advisory ESA-2026-39 at https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561/1. Note that 8.19.16 is inferred as the fix version from the advisory URL slug and has not been independently verified from release notes in the provided data. If an immediate upgrade is not possible, restrict access to the analytics collections management endpoint at the network or reverse-proxy layer to limit exposure to trusted users or IP ranges. Additionally, review and tighten role assignments to minimize the number of accounts with even viewer-level access to Kibana, reducing the pool of potential attackers. Rate-limiting requests to analytics endpoints via an API gateway or WAF rule targeting oversized request bodies is a compensating control, though it may affect legitimate large analytics operations. Monitor Kibana process CPU and memory metrics for anomalous spikes as a detection signal.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

EUVD-2026-33034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy