Kibana: Malicious Search Queries Can Crash the Application

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Kibana: Malicious Search Queries Can Crash the Application

CVE-2026-26935

Summary

Kibana's search function is not properly checking user input, which could allow an attacker to send a specially crafted search query that crashes the application. This could prevent legitimate users from accessing the search function. To protect against this, update Kibana to the latest version.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
elastic	kibana	> 8.4.0 , <= 8.19.12	–
elastic	kibana	> 9.0.0 , <= 9.2.6	–
elastic	kibana	9.3.0	–

Original title

Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

Original description

Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

nvd CVSS3.1 7.5

Vulnerability type

CWE-20 Improper Input Validation

https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026... Vendor Advisory

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026