cbcvebase.
CVE-2026-42399
published 2026-05-28

CVE-2026-42399: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user…

PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.30%
21.2th percentile
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.

Affected

4 ranges
VendorProductVersion rangeFixed in
elastickibana>= 8.0.0 < 8.19.168.19.16
elastickibana8.0.0 – 8.19.15
elastickibana>= 9.0.0 < 9.3.59.3.5
elastickibana9.0.0 – 9.3.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.