CVE-2026-26940 - Vulnerability Details

- Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service

Description

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

Published: 2026-03-19

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper validation of the specified quantity in input to the Timelion visualization plugin, classified as CWE‑1284. An authenticated user can craft a Timelion expression that overwrites internal series data properties with an excessively large value, causing the plugin to allocate more resources than intended and leading to a denial of service. The impact is a disruption of user services within Kibana and potential instability of the underlying cluster.

Affected Systems

This defect affects installations of Elastic Kibana that include the Timelion visualization plugin. No specific version range is listed in the CVE entry, so all releases that have Timelion enabled are potentially vulnerable until the vendor releases a fix.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS is reported to be less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a legitimate authenticated session. Attackers would need to inject a specially crafted Timelion expression; thus, privileged users are the primary target. Even though the risk of rapid exploitation is low, the denial of service can impact multiple stakeholders if not mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Kibana

unaffected

Version	Status	Constraints
`9.3.0`	affected	≤ 9.3.1
`9.0.0`	affected	≤ 9.2.6
`8.0.0`	affected	≤ 8.19.12

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

No data.

Vendor Product Confidence Versions

Elastic

Kibana

100%

Version	Status	Scheme	Platform
`[9.3.0,9.3.1]`	affected	semver	—
`[9.0.0,9.2.6]`	affected	semver	—
`[8.0.0,8.19.12]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the current Kibana version and Timelion plugin configuration.
Download and install the most recent Kibana release that includes the official fix from Elastic’s security update, as referenced in the advisory discussion.

Generated by OpenCVE AI on March 23, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535
https://nvd.nist.gov/vuln/detail/CVE-2026-26940
https://www.cve.org/CVERecord?id=CVE-2026-26940

History

Mon, 23 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elastic:kibana::::::::

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26940 https://www.cve.org/CVERecord?id=CVE-2026-26940
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic kibana
Vendors & Products		Elastic Elastic kibana

Thu, 19 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.
Title		Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
Weaknesses		CWE-1284
References		https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Elastic Kibana

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-03-19T17:14:31.734Z

Updated: 2026-03-19T17:48:13.985Z

Reserved: 2026-02-16T16:42:05.774Z

Link: CVE-2026-26940

Vulnrichment

Updated: 2026-03-19T17:48:04.005Z

NVD

Status : Analyzed

Published: 2026-03-19T18:16:21.870

Modified: 2026-03-23T13:35:49.390

Link: CVE-2026-26940

Redhat

Severity : Moderate

Publid Date: 2026-03-19T17:14:31Z

Links: CVE-2026-26940 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T11:55:15Z

Weaknesses

CWE-1284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object