Kibana AI Inference Anonymization Engine crashes from bad input

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Kibana AI Inference Anonymization Engine crashes from bad input

CVE-2026-26936

Summary

Kibana's AI Inference Anonymization Engine can be slowed down or crash if it's given a very complex pattern to process. This can happen if an attacker sends a specially crafted input. To protect your Kibana instance, ensure that your input data is properly sanitized and validate it before passing it to the engine.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
elastic	kibana	> 8.0.0 , <= 8.19.11	–
elastic	kibana	> 9.0.0 , <= 9.2.5	–

Original title

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

Original description

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

nvd CVSS3.1 7.5

Vulnerability type

CWE-1333 Inefficient Regular Expression Complexity (ReDoS)

https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/38... Vendor Advisory

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026