Description
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
Published: 2026-01-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability present in Kibana Fleet allows a specially crafted bulk retrieval request to trigger redundant database retrieval operations that consume memory until the server crashes. An attacker with a viewer‑level role—which provides read access to agent policies—can exploit this flaw. The resulting denial of service makes Kibana unavailable to all users.

Affected Systems

Elastic Kibana is the affected product. No specific version information is listed, so any installation of Kibana that includes Fleet is potentially vulnerable. Users should verify their deployments against vendor advisories.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, while an EPSS of less than 1% reflects a low likelihood of broad exploitation. The flaw is not yet catalogued in CISA’s KEV list. Exploitation requires a viewer‑level account and the ability to send the crafted bulk request, suggesting the attack vector is likely internal or via compromised credentials rather than remote network intrusion. Given the moderate impact and low exploitation probability, the risk is considered moderate, warranting timely patching.

Generated by OpenCVE AI on April 18, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kibana to the latest version following Elastic’s security release advisory.
  • Restrict viewer‑role users from accessing Fleet bulk retrieval endpoints, or enforce stricter role permissions to disable read access to agent policies.
  • Implement application‑level rate limiting or resource throttling to prevent exhaustion of memory during bulk operations.

Generated by OpenCVE AI on April 18, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Thu, 15 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
Title Allocation of Resources Without Limits or Throttling in Kibana Fleet
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-01-13T21:25:44.808Z

Reserved: 2025-12-19T15:59:24.984Z

Link: CVE-2026-0531

cve-icon Vulnrichment

Updated: 2026-01-13T21:25:40.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:50.990

Modified: 2026-01-22T19:59:54.277

Link: CVE-2026-0531

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T21:05:51Z

Links: CVE-2026-0531 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses