Uncontrolled Resource Consumption (CWE-400) in Kibana allows an authenticated user with access to the automatic import feature to submit specially crafted requests containing excessively large input values. When multiple such requests are executed concurrently, the backend services become unstable, causing service disruption and rendering the deployment unavailable for all users. The impact is a denial of service that can affect system availability for all users of the affected Kibana deployment.

The vulnerability is reported in Elastic Kibana. No specific versions are listed in the official CNA data; however, the security update references Kibana 8.19.14, 9.2.8, and 9.3.3, implying that those releases, and potentially other current versions, are affected until patched. This affects all installations that enable the automatic import feature and have authenticated users capable of invoking it.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation requires valid credentials with import rights, so an attacker must first authenticate. Once authenticated, the attacker can trigger the denial of service through concurrent large‑payload requests. The main risk lies in availability loss for the Kibana service and potential cascading impact on dependent systems.