Description
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw is an uncontrolled resource consumption issue that allows an authenticated user to send requests with excessively large input values through Kibana’s automatic import feature. When several such requests are made at the same time, the backend services become unstable, leading to a loss of availability for all users. The vulnerability does not expose or modify data, but it can suspend normal operation, preventing legitimate use of Kibana.

Affected Systems

Elastic’s Kibana product is affected. The advisory references multiple releases, such as 8.19.14, 9.2.8, and 9.3.3, but no explicit version range is supplied. Administrative users with access to automatic import are the risk group for the affected installations.

Risk and Exploitability

The issue carries a CVSS score of 6.5, indicating moderate severity. Exploitation requires that the attacker already be authenticated with a role that permits use of the automatic import feature; it is not a remote unauthenticated attack vector. Because the CVE is not listed in the CISA KEV catalog and EPSS data is not available, the potential for exploitation is considered moderate but real. Concurrency of large inputs is needed to trigger the denial of service, which suggests that the attack is feasible in a coordinated or automated fashion.

Generated by OpenCVE AI on April 8, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kibana security patch as recommended in the Elastic advisory.
  • Restrict the automatic import feature to trusted administrators and remove it from broader user groups.
  • Implement request throttling or enforce maximum input size limits on the import endpoint.
  • Deploy monitoring to detect abnormal resource usage and set alerts for service disruptions.

Generated by OpenCVE AI on April 8, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Title Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-09T14:24:44.912Z

Reserved: 2026-03-20T10:53:23.099Z

Link: CVE-2026-33459

cve-icon Vulnrichment

Updated: 2026-04-09T14:24:40.933Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:26:00.407

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:01Z

Weaknesses