cbcvebase.
CVE-2026-0531
published 2026-01-13

CVE-2026-0531: Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk…

PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.42%
33.3th percentile
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

Affected

8 ranges
VendorProductVersion rangeFixed in
elastickibana>= 7.10.0 < 7.17.297.17.29
elastickibana7.10.0 – 7.17.29
elastickibana>= 8.0.0 < 8.19.108.19.10
elastickibana8.0.0 – 8.19.9
elastickibana>= 9.0.0 < 9.1.109.1.10
elastickibana9.0.0 – 9.1.9
elastickibana>= 9.2.0 < 9.2.49.2.4
elastickibana9.2.0 – 9.2.3

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.