CVE-2026-0543

MEDIUM

Kibana 7.0.0-7.17.29 - Authenticated Denial of Service via Email Connector Address Parameter

Title source: llm

Description

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523

Scores

CVSS v3 6.5

EPSS 0.0037

EPSS Percentile 28.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-770

Status published

Products (1)

elastic/kibana 7.0.0 - 7.17.29

Published Jan 13, 2026

Tracked Since Feb 18, 2026