CVE-2026-49094 - Vulnerability Details

- Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Description

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

Published: 2026-05-28

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability in Elastic Kibana allows an authenticated user with viewer-level access to submit an oversized input value to an analytics collections management endpoint. The input triggers excessive CPU and memory consumption, leading to a denial of service for all users. The weakness is identified as CWE-400, Uncontrolled Resource Consumption, which can disrupt availability by exhausting system resources.

Affected Systems

The affected product is Elastic Kibana. No specific version information is provided in the CNA data, so any Kibana deployment potentially vulnerable cannot be identified by version alone. Administrators should review logs for excessive resource usage and refer to vendor advisories for any patch availability.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability falls into the medium severity range, and the EPSS score is not available, indicating limited publicly known exploitations. The vulnerability is not listed in CISA KEV, which suggests it has not yet been widely observed in the wild. The attack requires authenticated access with viewer-level permissions, implying the attacker must already have legitimate credentials or must compromise a user account. The likely attack vector is through the Kibana web interface where the user can submit the oversized payload. Upon exploitation, the service becomes unavailable until it is manually recovered, impacting availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elastic

Kibana

unaffected

Version	Status	Constraints
`8.0.0`	affected	≤ 8.19.15

Configuration 1 [-]

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Elastic

Kibana

100%

Version	Status	Scheme	Platform
`[8.0.0,8.19.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade or patch Kibana to the latest release that resolves the issue
If a patch is unavailable, configure the application or web server to enforce a maximum request size or input length to block oversized payloads
Verify that the analytics collections management endpoint is disabled or restricted if not in use, thereby reducing the attack surface
Restart Kibana after applying changes to clear any residual high resource consumption

Generated by OpenCVE AI on May 28, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0024.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561/1

History

Mon, 01 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:elastic:kibana::::::::

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elastic Elastic kibana
Vendors & Products		Elastic Elastic kibana

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.
Title		Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Weaknesses		CWE-400
References		https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561/1
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Elastic Kibana

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2026-05-28T19:49:53.443Z

Updated: 2026-05-29T16:47:19.970Z

Reserved: 2026-05-27T11:31:33.582Z

Link: CVE-2026-49094

Vulnrichment

Updated: 2026-05-29T16:21:15.039Z

NVD

Status : Analyzed

Published: 2026-05-28T21:16:34.503

Modified: 2026-06-01T13:31:57.200

Link: CVE-2026-49094

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T22:15:06Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object