{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26935", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-02-16T16:42:05.773Z", "datePublished": "2026-02-26T17:05:16.619Z", "dateUpdated": "2026-02-26T18:28:11.607Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.3.0", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThanOrEqual": "8.19.11", "status": "affected", "version": "8.4.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.5", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)</p>"}], "value": "Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:05:16.619Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249"}], "source": {"discovery": "Elastic"}, "title": "Improper Input Validation in Kibana Leading to Denial of Service", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T17:51:42.935666Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:28:11.607Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T17:51:42.935666Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:53:29.853Z"}}], "cna": {"title": "Improper Input Validation in Kibana Leading to Denial of Service", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.3.0", "versionType": "semver", "lessThanOrEqual": "9.3.0"}, {"status": "affected", "version": "8.4.0", "versionType": "semver", "lessThanOrEqual": "8.19.11"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.5"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:05:16.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26935", "state": "PUBLISHED", "dateUpdated": "2026-02-26T18:28:11.607Z", "dateReserved": "2026-02-16T16:42:05.773Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-02-26T17:05:16.619Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "29B0B2CE-953F-4AD3-A8AC-3643A28586B7", "versionEndExcluding": "8.19.12", "versionStartIncluding": "8.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "F14ACA8C-46A2-42EF-9F63-AEF657C6736A", "versionEndExcluding": "9.2.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E90DE12-A5EC-4C3C-A86E-BF5AA0778628", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)"}], "id": "CVE-2026-26935", "lastModified": "2026-03-02T15:58:14.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T18:23:07.817", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "9.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.4.0,8.19.11]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.2.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-18T10:22:46.537580+00:00", "value": {"mitigation_remediation": ["Apply the latest Kibana patch that addresses the input validation flaw, such as upgrading to the most recent stable release.", "If an upgrade cannot be performed immediately, mitigate by limiting the size and complexity of search queries to the Content Connectors endpoint, or by disabling the feature if it is not needed.", "Implement request rate limiting or firewall rules to block excessive or malformed traffic to the endpoint."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Elastic's Kibana product. All installations that expose the internal Content Connectors search endpoint are susceptible until patched. Versions of Kibana that include this endpoint, such as those listed in the CVE payload, are impacted.", "description_and_impact": "Improper input validation in Kibana's internal Content Connectors search endpoint enables crafted requests to exploit a flaw in data handling, resulting in denial of service for the Kibana service. Classified as CWE\u201120, the flaw can cause the target system to become unresponsive or crash, disrupting service availability for users and potentially impacting integrated dashboards or monitoring tools.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a moderate risk. EPSS is less than 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The flaw can be exploited remotely by sending malicious requests to the search endpoint over HTTP(S); no local privilege or authentication is required, making the attack vector potentially network-based. Successful exploitation would result in service interruption for Kibana consumers."}}}}, "created": "2026-02-27T09:07:21.826179+00:00", "updated": "2026-04-18T10:30:35.761483+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}