CVE-2026-0528 - Vulnerability Details

- Improper Input Validation in Metricbeat Leading to Denial of Service

Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

Published: 2026-01-13

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper validation of array indices and generic input validation flaws in Metricbeat can allow an attacker to send specially crafted, malformed metric data that makes the service consume excessive resources and ultimately fail to respond. The vulnerability resides in the Graphite and Zookeeper metric sets as well as the Prometheus helper module, enabling a denial‑of‑service attack via input data manipulation.

Affected Systems

Elastic Metricbeat deployments are affected, especially those using the Graphite or Zookeeper metric sets or the Prometheus helper module. All versions prior to the security update 8.19.10‑9.1‑10.9‑2‑4 lack the necessary checks and are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while an EPSS of less than 1% suggests a low chance of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, achievable by any actor that can transmit metric data to a Metricbeat instance – for example, a malicious data source sending crafted payloads to the Graphite, Zookeeper, or Prometheus endpoints.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Metricbeat

unaffected

Version	Status	Constraints
`7.0.0`	affected	≤ 7.17.29
`8.0.0`	affected	≤ 8.19.9
`9.0.0`	affected	≤ 9.1.9
`9.2.0`	affected	≤ 9.2.3

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

No data.

Vendor	Product	Confidence	Versions
Elastic	Metricbeat	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Metricbeat to version 8.19.10‑9.1‑10.9‑2‑4 or later to apply the array‑index validation patch.
Limit access to the metric ingestion endpoints (Graphite, Zookeeper, Prometheus) so that only trusted sources can send data, using firewall or IP filtering.
Monitor Metricbeat logs and metrics for abnormal ingestion patterns and configure alerts for potential denial‑of‑service attempts.

Generated by OpenCVE AI on April 18, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w2gr-585j-r428	Metricbeat affected by multiple denial of service vulnerabilities

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519

History

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic kibana
CPEs		cpe:2.3:a:elastic:kibana::::::::
Vendors & Products		Elastic kibana

Wed, 14 Jan 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic metricbeat
Vendors & Products		Elastic Elastic metricbeat

Tue, 13 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.
Title		Improper Input Validation in Metricbeat Leading to Denial of Service
Weaknesses		CWE-129
References		https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Elastic Kibana Metricbeat

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-01-13T21:02:18.501Z

Updated: 2026-01-13T21:25:10.446Z

Reserved: 2025-12-19T15:27:18.049Z

Link: CVE-2026-0528

Vulnrichment

Updated: 2026-01-13T21:25:03.101Z

NVD

Status : Analyzed

Published: 2026-01-13T21:15:50.647

Modified: 2026-01-22T19:57:29.927

Link: CVE-2026-0528

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses

CWE-129

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object