Description
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uncontrolled Resource Consumption (CWE-400) in Kibana allows an authenticated user with a low‑privileged role to submit a specially crafted, oversized payload to an internal API. The excessive allocation of resources exhausts the Kibana process, rendering it unresponsive to all users until the service recovers or is restarted. The result is a denial of service that affects the availability of dashboards, log access, and other Kibana features.

Affected Systems

Elastic Kibana installations that have not applied the latest security update are vulnerable. The issue is present in Kibana systems before the released update referenced in the discussion thread, and any version that lacks the fix will be affected. There is no explicit version range provided, so all current Kibana deployments should be examined.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability represents moderate severity. Explorer probability is not provided, and it is not listed in CISA's KEV. The attack requires authentication and a low‑privileged role, implying an insider or compromised account. If an attacker can send the oversized payload, the Kibana service will consume resources until it crashes or stalls, temporarily denying access to all users. No public exploit is cited, but the lack of mitigations and internal API exposure increase the risk of exploitation.

Generated by OpenCVE AI on May 28, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Elastic security update that addresses uncontrolled resource consumption in Kibana.
  • Revoke the ability of low‑privileged roles to submit large payloads to Kibana's internal API by modifying role permissions or disabling the endpoint for that role.
  • Configure request size limits on the API so that oversized payloads are rejected before processing.
  • Activate Kibana monitoring and set alerts for abnormal memory or CPU usage to quickly detect and mitigate resource exhaustion attempts.

Generated by OpenCVE AI on May 28, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
Title Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-05-28T19:35:31.655Z

Reserved: 2026-03-20T10:53:23.100Z

Link: CVE-2026-33464

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T20:16:23.043

Modified: 2026-05-28T20:16:23.043

Link: CVE-2026-33464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:30:25Z

Weaknesses