CVE-2026-0543 — Improper Input Validation in Kibana

CWE-20 — Improper Input Validation CWE-770 — Allocation of Resources Without Limits or Throttling5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 73.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedJan 13

Description

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDelastic/kibana8.0.0 — 8.19.0+3

▶CVEListV5elastic/kibana8.0.0 — 8.19.9+3

🔴Vulnerability Details

CVEList

Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation↗2026-01-13

▶

GHSA

GHSA-p2g6-3qpg-4v6h: Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially↗2026-01-13

▶

📋Vendor Advisories

Red Hat

Kibana: Kibana: Denial of Service due to improper input validation in Email Connector↗2026-01-13

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0543 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶