CVE-2026-0530 - Vulnerability Details

- Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.

Published: 2026-01-13

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Elastic Kibana’s Fleet component allocates system resources without limits or throttling, a defect identified as CWE-770. A specially crafted request triggers redundant processing operations that relentlessly consume CPU, memory, or disk I/O until the service becomes degraded or unavailable. This denial of service condition can affect all users of an impacted Kibana instance, compromising availability but not directly exposing data.

Affected Systems

The vulnerability affects the Elastic Kibana product. All versions that include the Fleet feature and have not yet applied the 8.19.10.9.1/8.19.10.9.2.4 security update are potentially vulnerable. Specific version numbers are not listed, so administrators should verify whether their Kibana release contains the Fleet component and apply the latest update.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity rating. The EPSS score is less than 1%, suggesting a low but nonzero likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by sending a specially crafted request to the Kibana Fleet endpoint over the network; no privileged access is required, though the attacker must be able to reach the Kibana service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Kibana

unaffected

Version	Status	Constraints
`7.10.0`	affected	≤ 7.17.29
`8.0.0`	affected	≤ 8.19.9
`9.0.0`	affected	≤ 9.1.9
`9.2.0`	affected	≤ 9.2.3

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

No data.

Vendor	Product	Confidence	Versions
Elastic	Kibana	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Kibana security update (8.19.10.9.1 or 8.19.10.9.2.4) to enforce resource limits on Fleet operations.
Restrict external access to the Kibana Fleet endpoint using firewall rules or network segmentation, limiting traffic to trusted internal networks.
If Fleet is not required, disable the feature or remove it from the configuration to eliminate the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521
https://nvd.nist.gov/vuln/detail/CVE-2026-0530
https://www.cve.org/CVERecord?id=CVE-2026-0530

History

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elastic:kibana::::::::

Thu, 15 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0530 https://www.cve.org/CVERecord?id=CVE-2026-0530
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 14 Jan 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic kibana
Vendors & Products		Elastic Elastic kibana

Tue, 13 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.
Title		Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation
Weaknesses		CWE-770
References		https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Elastic Kibana

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-01-13T21:03:13.655Z

Updated: 2026-01-13T21:25:28.056Z

Reserved: 2025-12-19T15:50:33.248Z

Link: CVE-2026-0530

Vulnrichment

Updated: 2026-01-13T21:25:22.781Z

NVD

Status : Analyzed

Published: 2026-01-13T21:15:50.817

Modified: 2026-01-22T19:58:42.553

Link: CVE-2026-0530

Redhat

Severity : Moderate

Publid Date: 2026-01-13T21:03:13Z

Links: CVE-2026-0530 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object