{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0528", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2025-12-19T15:27:18.049Z", "datePublished": "2026-01-13T21:02:18.501Z", "dateUpdated": "2026-01-13T21:25:10.446Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Metricbeat", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "7.17.29", "status": "affected", "version": "7.0.0", "versionType": "semver"}, {"lessThanOrEqual": "8.19.9", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.1.9", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.3", "status": "affected", "version": "9.2.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.</p>"}], "value": "Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-13T21:02:18.501Z"}, "references": [{"url": "https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519"}], "credits": [{"lang": "en", "value": "pkill-arjun", "type": "reporter"}], "source": {"discovery": "Elastic"}, "title": "Improper Input Validation in Metricbeat Leading to Denial of Service", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T21:23:21.867774Z", "id": "CVE-2026-0528", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:25:10.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T21:23:21.867774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:25:03.101Z"}}], "cna": {"title": "Improper Input Validation in Metricbeat Leading to Denial of Service", "source": {"discovery": "Elastic"}, "credits": [{"lang": "en", "type": "reporter", "value": "pkill-arjun"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Metricbeat", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.17.29"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.19.9"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.1.9"}, {"status": "affected", "version": "9.2.0", "versionType": "semver", "lessThanOrEqual": "9.2.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-13T21:02:18.501Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0528", "state": "PUBLISHED", "dateUpdated": "2026-01-13T21:25:10.446Z", "dateReserved": "2025-12-19T15:27:18.049Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-01-13T21:02:18.501Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DE7E670-76C6-4E95-BDD0-9322E42929BB", "versionEndExcluding": "7.17.29", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "8707CF69-9922-490B-B64F-38F2D31E2CA1", "versionEndExcluding": "8.19.10", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC3281ED-A331-43DC-9705-80A3FA3E6C75", "versionEndExcluding": "9.1.10", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BF9D6AE-B07F-4516-A684-60B02BF731A0", "versionEndExcluding": "9.2.4", "versionStartIncluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data."}], "id": "CVE-2026-0528", "lastModified": "2026-01-22T19:57:29.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-13T21:15:50.647", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:27:22.611707+00:00", "value": {"mitigation_remediation": ["Upgrade Metricbeat to version 8.19.10\u20119.1\u201110.9\u20112\u20114 or later to apply the array\u2011index validation patch.", "Limit access to the metric ingestion endpoints (Graphite, Zookeeper, Prometheus) so that only trusted sources can send data, using firewall or IP filtering.", "Monitor Metricbeat logs and metrics for abnormal ingestion patterns and configure alerts for potential denial\u2011of\u2011service attempts."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Elastic Metricbeat deployments are affected, especially those using the Graphite or Zookeeper metric sets or the Prometheus helper module. All versions prior to the security update 8.19.10\u20119.1\u201110.9\u20112\u20114 lack the necessary checks and are vulnerable.", "description_and_impact": "Improper validation of array indices and generic input validation flaws in Metricbeat can allow an attacker to send specially crafted, malformed metric data that makes the service consume excessive resources and ultimately fail to respond. The vulnerability resides in the Graphite and Zookeeper metric sets as well as the Prometheus helper module, enabling a denial\u2011of\u2011service attack via input data manipulation.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity, while an EPSS of less than 1% suggests a low chance of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be remote, achievable by any actor that can transmit metric data to a Metricbeat instance \u2013 for example, a malicious data source sending crafted payloads to the Graphite, Zookeeper, or Prometheus endpoints."}}}}, "created": "2026-01-14T11:07:49.917133+00:00", "updated": "2026-04-18T06:30:25.911704+00:00", "vendors": ["elastic", "elastic$PRODUCT$metricbeat"]}