{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26937", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-02-16T16:42:05.774Z", "datePublished": "2026-02-26T17:51:35.421Z", "dateUpdated": "2026-02-27T16:04:41.385Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.2.4", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "8.19.10", "status": "affected", "version": "8.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)</p>"}], "value": "Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:51:35.421Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251"}], "source": {"discovery": "Elastic"}, "title": "Uncontrolled Resource Consumption in Kibana Leading to Denial of Service", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:04:31.928042Z", "id": "CVE-2026-26937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:04:41.385Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T16:04:31.928042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:04:36.388Z"}}], "cna": {"title": "Uncontrolled Resource Consumption in Kibana Leading to Denial of Service", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.4"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.19.10"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)", "supportingMedia": [{"type": "text/html", "value": "<p>Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-02-26T17:51:35.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26937", "state": "PUBLISHED", "dateUpdated": "2026-02-27T16:04:41.385Z", "dateReserved": "2026-02-16T16:42:05.774Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-02-26T17:51:35.421Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "6617179C-2808-48E0-9794-119BBEE79D9E", "versionEndExcluding": "8.19.11", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "777B69F7-F3EB-491F-8B6D-418A0E9C0D02", "versionEndExcluding": "9.2.5", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)"}], "id": "CVE-2026-26937", "lastModified": "2026-03-02T15:43:52.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T19:32:39.747", "references": [{"source": "security@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.2.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.19.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Kibana", "source": "cna", "vendor": "Elastic"}, "product": "kibana", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-17T14:18:30.880937+00:00", "value": {"mitigation_remediation": ["Install the latest Kibana release that contains the fix for Timelion resource exhaustion.", "Restrict or disable the Timelion feature for users who do not need it or implement role\u2011based access controls to limit interaction with Timelion.", "Configure resource limits or rate\u2011limiting on the Kibana HTTP API to prevent excessive query loads from a single user or source.", "Monitor system metrics for abnormal CPU or memory consumption and set alerts to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects Elastic Kibana installations that include the Timelion feature. No specific version is listed, so any deployment that has not applied the latest security update could be vulnerable. Administrators should verify that they are running a patched version of Kibana in which Timelion has been hardened.", "description_and_impact": "The vulnerability is uncontrolled resource consumption in Kibana\u2019s Timelion component. An attacker can supply crafted input to trigger excessive processing, leading to high CPU or memory usage and a denial of service. This weakness is classified as CWE\u2011400 and is achieved through input data manipulation (CAPEC\u2011153). The impact is a disruption of Kibana service availability for all users, while confidentiality and integrity remain unaffected.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating medium severity. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is HTTP requests targeting the Timelion component with malicious query data; the attacker needs network access to Kibana and knowledge of Timelion\u2019s input syntax, but no elevated privileges are required. If an attacker can reach the service, they may cause service disruption without needing a separate compromise."}}}}, "created": "2026-02-27T09:07:15.502993+00:00", "updated": "2026-04-17T14:30:20.815580+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}