Uncontrolled Resource Consumption (CWE-400) in Kibana allows an authenticated low-privileged user to submit a specially crafted Timelion visualization expression that causes the service to allocate memory exponentially. The resulting data structure grows without bound, exhausting available memory and leading to a crash that renders Kibana unavailable to all users. The vulnerability is an instance of Excessive Allocation (CAPEC-130) and delivers a service‑stop impact for the entire Kibana deployment.

Elastic Kibana is the affected product. The vulnerability applies to versions referenced in the Elastic security discussion, but no specific version range is provided in the CVE data. Users should review the supplied advisory to confirm the exact version scope in their environment.

The CVSS score of 6.5 indicates moderate severity, while the EPSS is not available for this entry. The vulnerability requires the attacker to be an authenticated user with low privileges, which is a common access scope in many organizations. An attacker who can log in can craft the malicious expression and trigger memory exhaustion, resulting in a denial of service that affects all Kibana users. Because the attack vector is local authentication rather than remote exploitation, the overall risk is lower compared to remote code execution but remains significant for availability. The vulnerability is not listed in the CISA KEV catalog as of the current data.