Kibana Timelion Can Be Crashed by Malformed Input Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Kibana Timelion Can Be Crashed by Malformed Input Data

CVE-2026-26937

Summary

The Timelion component in Kibana is vulnerable to a denial-of-service attack if it's given special kinds of data. This can cause the component to stop working. To stay safe, make sure to update Kibana to the latest version.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
elastic	kibana	> 8.0.0 , <= 8.19.11	–
elastic	kibana	> 9.0.0 , <= 9.2.5	–

Original title

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

Original description

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

nvd CVSS3.1 7.5

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/38... Vendor Advisory

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026