CVE-2026-0528

MEDIUM

Elastic Kibana < 7.17.29 - Improper Array Index Validation

Title source: rule

Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

References (1)

[Vendor Advisory] https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-129

Status published

Products (2)

elastic/beats 0 - 7.0.0-alpha2.0.20251217054608-6e42552a23ceGo

elastic/kibana 7.0.0 - 7.17.29

Published Jan 13, 2026

Tracked Since Feb 18, 2026