CVE-2026-33459

MEDIUM

Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Title source: cna

Description

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.

References (1)

https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (4)

Elastic/Kibana 8.15.0 - 8.19.13

elastic/kibana 8.15.0 - 8.19.14

Elastic/Kibana 9.0.0 - 9.2.7

Elastic/Kibana 9.3.0 - 9.3.2

Published Apr 08, 2026

Tracked Since Apr 08, 2026