Description
Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.
Published: 2026-02-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Improper validation of a specified quantity in user input (CWE‑1284) allows an authenticated user with view‑only access to send a specially crafted payload that consumes excessive resources, causing Kibana to become unresponsive or crash. The vulnerability arises from accepting malformed input without correctly limiting the amount of data processed, leading to denial of service.

Affected Systems

Elastic Kibana instances are affected. The vulnerability applies to all released versions of Kibana, including the latest security releases up to 9.3.0 and earlier. Administrators should verify that their deployment falls within the affected range and apply the corresponding updates.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability is considered moderate. The EPSS score of less than 1% indicates a low likelihood of exploitation at this time, and it is not currently listed in CISA’s KEV catalog. Nevertheless, an authenticated attacker with view‑only privileges can trigger the denial of service by submitting the malicious payload. The attack vector is internal or remote, depending on network exposure, but requires valid Kibana authentication and appropriate permissions. The impact is service interruption for all users of the affected Kibana instance.

Generated by OpenCVE AI on April 17, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana security update, such as 8.19.12 or 9.3.1, which contains the fix.
  • Restrict view‑only user access to only those who truly need it, following the principle of least privilege.
  • Monitor Kibana logs for repeated malformed requests and consider rate limiting or breaking the request on validation failure.

Generated by OpenCVE AI on April 17, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 26 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.
Title Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-02-26T18:28:11.925Z

Reserved: 2026-02-16T16:42:05.773Z

Link: CVE-2026-26934

cve-icon Vulnrichment

Updated: 2026-02-26T17:53:32.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T18:23:07.647

Modified: 2026-03-02T15:59:55.850

Link: CVE-2026-26934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses