Allocation of Resources Without Limits or Throttling in Kibana Fleet (ESA-2026-04)
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
Affected Versions:
- 7.x: All versions from 7.10.0 up to and including 7.17.29
- 8.x: All versions from 8.0.0 up to and including 8.19.9
- 9.x:
- All versions from 9.0.0 up to and including 9.1.9
- All versions from 9.2.0 up to and including 9.2.3
Solutions and Mitigations:
The issue is resolved in version 8.19.10, 9.1.10, 9.2.4.
For Users that Cannot Upgrade:
There are no workarounds
Severity: CVSSv3.1: Medium (6.5) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-0531
Problem Type: CWE-770 - Allocation of Resources Without Limits or Throttling
Impact: CAPEC-130 - Excessive Allocation