Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.10
- 9.x: All versions from 9.0.0 up to and including 9.2.4
Affected Configurations:
The Elastic AI Assistant for Security is not enabled by default in Kibana. Users must explicitly configure an AI connector (e.g., OpenAI, Amazon Bedrock, or Elastic Managed LLM) and enable the AI Assistant feature from the GenAI Settings page.
Solutions and Mitigations:
The issue is resolved in version 8.19.11, 9.2.5.
For Users that Cannot Upgrade:
If the AI Assistant has been enabled with custom anonymization rules:
Disable Custom Anonymization Rules:
- Navigate to Security AI settings → Anonymization tab in Kibana and disable all custom anonymization rules. This prevents the vulnerable regex processing pipeline from executing.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 4.9 ) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26936
Problem Type: CWE-1333 - Inefficient Regular Expression Complexity
Impact: CAPEC-492 - Regular Expression Exponential Blowup