Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Kibana Can Be Made Unresponsive by Malformed Input
CVE-2026-26934
Summary
Kibana software has a flaw that allows an attacker with limited access to send data that can cause Kibana to consume too many resources, become unresponsive, or even crash. This can happen when an attacker sends specific, corrupted data to Kibana. To protect against this, ensure that all data sent to Kibana is properly validated and sanitized.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| elastic | kibana | > 8.18.0 , <= 8.19.12 | – |
| elastic | kibana | > 9.0.0 , <= 9.2.6 | – |
| elastic | kibana | 9.3.0 | – |
Original title
Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC...
Original description
Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.
nvd CVSS3.1
6.5
Vulnerability type
CWE-1284
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026