CVE-2026-49094

6.5 MEDIUM

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130)

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400

Affected products

Vendor	Product
elastic	kibana

Description

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49094
[Vendor advisory]https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561/1

Related CVEs

Same vendor

CVE-2026-49095 — Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation (6.5 MEDIUM)
CVE-2026-49093 — Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operat... (6.3 MEDIUM)
CVE-2026-42400 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
CVE-2026-42399 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
CVE-2026-42398 — Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-co... (7.7 HIGH)

Same CWE

CVE-2026-47734 — Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
CVE-2026-46689 — Kanidm is an identity management platform
CVE-2026-46679 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)
CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
CVE-2026-45783 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)