CVE-2026-42399
published 2026-05-28CVE-2026-42399: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.30%
21.2th percentile
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 8.0.0 < 8.19.16 | 8.19.16 |
| elastic | kibana | 8.0.0 – 8.19.15 | — |
| elastic | kibana | >= 9.0.0 < 9.3.5 | 9.3.5 |
| elastic | kibana | 9.0.0 – 9.3.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hcw2-vpp7-52v9: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130)
ghsa_unreviewed·2026-05-28
CVE-2026-42399 [MEDIUM] CWE-400 GHSA-hcw2-vpp7-52v9: Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130)
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
VulDB
Elastic Kibana up to 8.19.15/9.3.4 resource consumption
vuldb·2026-05-28·CVSS 6.5
CVE-2026-42399 [MEDIUM] Elastic Kibana up to 8.19.15/9.3.4 resource consumption
A vulnerability classified as problematic has been found in Elastic Kibana up to 8.19.15/9.3.4. Affected by this issue is some unknown functionality. Performing a manipulation results in resource consumption.
This vulnerability is cataloged as CVE-2026-42399. It is possible to initiate the attack remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published