Description
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
Published: 2026-02-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via regex exponential blowup
Action: Patch
AI Analysis

Impact

Inefficient Regular Expression Complexity in Kibana’s AI Inference Anonymization Engine allows an attacker to craft a regular expression that triggers exponential blowup, leading to a denial of service. The flaw is classified as CWE‑1333 and can disrupt the availability of the Kibana service by exhausting CPU and memory resources.

Affected Systems

The affected product is Elastic Kibana. No specific version information is listed in the advisory; all currently supported releases before the fix are potentially vulnerable.

Risk and Exploitability

The CVSS score is 4.9, indicating moderate risk, and the EPSS score is below 1 %, showing a very low probability of exploitation. Because the vulnerability stems from the AI inference engine, the likely attack vector is sending a malicious regular expression via the relevant Kibana API, but exploitation details are not publicly documented. The issue is not included in the CISA KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Kibana version that includes the security update (e.g., 8.20.0 or later).
  • If an upgrade cannot be performed immediately, disable the AI inference anonymization engine or limit its usage only to trusted sources.
  • Apply input throttling or rate limits on the Kibana API to prevent excessive regex processing and monitor resource usage for signs of blowup.

Generated by OpenCVE AI on April 17, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 26 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
Title Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-02-26T18:28:11.114Z

Reserved: 2026-02-16T16:42:05.774Z

Link: CVE-2026-26936

cve-icon Vulnrichment

Updated: 2026-02-26T17:53:26.995Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T18:23:07.973

Modified: 2026-03-02T16:01:07.393

Link: CVE-2026-26936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses