Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.10
- 9.x: All versions from 9.0.0 up to and including 9.2.4
Affected Configurations:
Timelion is a legacy visualization feature that is available by default in Kibana installations.
Solutions and Mitigations:
The issue is resolved in version 8.19.11, 9.2.5.
For Users that Cannot Upgrade:
Self Managed
Customers who do not use Timelion visualizations can disable the plugin by adding the following to kibana.yml
vis_type_timelion.enabled: false
Cloud
Disabling this plugin in Elastic Cloud Hosted environments is not possible. Customers on Elastic Cloud Hosted should prioritize upgrading to a patched version.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26937
Problem Type: CWE-400 - Uncontrolled Resource Consumption
Impact: CAPEC-153 - Input Data Manipulation