CVE-2026-0531Allocation of Resources Without Limits or Throttling in Kibana

CWE-770Allocation of Resources Without Limits or Throttling5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 80.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedJan 13

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDelastic/kibana7.10.07.17.29+3
CVEListV5elastic/kibana7.10.07.17.29+3

🔴Vulnerability Details

2
CVEList
Allocation of Resources Without Limits or Throttling in Kibana Fleet2026-01-13
GHSA
GHSA-g37r-x966-x536: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bu2026-01-13

📋Vendor Advisories

1
Red Hat
kibana: allocation of resources without limits or throttling via specially crafted bulk retrieval request2026-01-13

🕵️Threat Intelligence

1
Wiz
CVE-2026-0531 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-0531 — Elastic Kibana vulnerability | cvebase