CVE-2026-42399
6.5 MEDIUMUncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130)
Published: 2026-05-28 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-400
Affected products
| Vendor | Product |
|---|---|
| elastic | kibana |
Description
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-49095 — Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation (6.5 MEDIUM)
- CVE-2026-49094 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
- CVE-2026-49093 — Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operat... (6.3 MEDIUM)
- CVE-2026-42400 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
- CVE-2026-42398 — Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-co... (7.7 HIGH)
Same CWE
- CVE-2026-47734 — Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
- CVE-2026-46689 — Kanidm is an identity management platform
- CVE-2026-46679 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)
- CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2026-45783 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)