{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0530", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2025-12-19T15:50:33.248Z", "datePublished": "2026-01-13T21:03:13.655Z", "dateUpdated": "2026-01-13T21:25:28.056Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "7.17.29", "status": "affected", "version": "7.10.0", "versionType": "semver"}, {"lessThanOrEqual": "8.19.9", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.1.9", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.3", "status": "affected", "version": "9.2.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.</p>"}], "value": "Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-13T21:03:13.655Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521"}], "source": {"discovery": "Elastic"}, "title": "Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T21:23:15.107304Z", "id": "CVE-2026-0530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:25:28.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T21:23:15.107304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:25:22.781Z"}}], "cna": {"title": "Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "7.10.0", "versionType": "semver", "lessThanOrEqual": "7.17.29"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.19.9"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.1.9"}, {"status": "affected", "version": "9.2.0", "versionType": "semver", "lessThanOrEqual": "9.2.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.", "supportingMedia": [{"type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-01-13T21:03:13.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0530", "state": "PUBLISHED", "dateUpdated": "2026-01-13T21:25:28.056Z", "dateReserved": "2025-12-19T15:50:33.248Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-01-13T21:03:13.655Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "1863989E-58AD-4481-B872-DF5AC637F854", "versionEndExcluding": "7.17.29", "versionStartIncluding": "7.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "8707CF69-9922-490B-B64F-38F2D31E2CA1", "versionEndExcluding": "8.19.10", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC3281ED-A331-43DC-9705-80A3FA3E6C75", "versionEndExcluding": "9.1.10", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BF9D6AE-B07F-4516-A684-60B02BF731A0", "versionEndExcluding": "9.2.4", "versionStartIncluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs."}], "id": "CVE-2026-0530", "lastModified": "2026-01-22T19:58:42.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}]}, "published": "2026-01-13T21:15:50.817", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: allocation of resources without limits or throttling via specially crafted request", "id": "2429391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429391"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.", "A flaw was found in Kibana Fleet. A remote attacker could exploit this vulnerability by sending a specially crafted request, leading to an excessive allocation of resources. This continuous consumption of system resources can result in service degradation or complete unavailability, effectively causing a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-0530", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2026-01-13T21:03:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0530\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0530\nhttps://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521"], "statement": "This issue allows a remote attacker with low-level privileges to cause an excessive allocation of resources by sending specially crafted requests, eventually resulting in a denial of service. As the attacker must have low-level privileges to exploit this issue, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T06:27:06.211892+00:00", "value": {"mitigation_remediation": ["Apply the latest Kibana security update (8.19.10.9.1 or 8.19.10.9.2.4) to enforce resource limits on Fleet operations.", "Restrict external access to the Kibana Fleet endpoint using firewall rules or network segmentation, limiting traffic to trusted internal networks.", "If Fleet is not required, disable the feature or remove it from the configuration to eliminate the attack surface."], "summary": {"action": "Patch", "impact": "Resource Exhaustion Leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Elastic Kibana product. All versions that include the Fleet feature and have not yet applied the 8.19.10.9.1/8.19.10.9.2.4 security update are potentially vulnerable. Specific version numbers are not listed, so administrators should verify whether their Kibana release contains the Fleet component and apply the latest update.", "description_and_impact": "Elastic Kibana\u2019s Fleet component allocates system resources without limits or throttling, a defect identified as CWE-770. A specially crafted request triggers redundant processing operations that relentlessly consume CPU, memory, or disk I/O until the service becomes degraded or unavailable. This denial of service condition can affect all users of an impacted Kibana instance, compromising availability but not directly exposing data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity rating. The EPSS score is less than 1%, suggesting a low but nonzero likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by sending a specially crafted request to the Kibana Fleet endpoint over the network; no privileged access is required, though the attacker must be able to reach the Kibana service."}}}}, "created": "2026-01-14T11:07:43.670714+00:00", "updated": "2026-04-18T06:30:25.911205+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}