Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12)

ismisepaul · February 26, 2026, 4:52pm

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service

Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.

Affected Versions:

8.x: All versions from 8.18.0 up to and including 8.19.11
9.x:
- All versions from 9.0.0 up to and including 9.2.5
- Version 9.3.0

Affected Configurations:
Index Management is enabled by default in Kibana and does not require specific configuration to be active. This vulnerability requires authentication. The attacker must have valid Kibana credentials where access with view-only privileges (such as the built-in viewer role) can cause the crash.

Solutions and Mitigations:

The issue is resolved in version 8.19.12, 9.2.6, 9.3.1.

For Users that Cannot Upgrade:

The most effective mitigation is to apply the security patch as soon as possible. In the interim, customers could:

Monitor Kibana server resource utilization closely
Restrict authenticated access to Kibana to trusted users only
Consider implementing application-layer request size limits if feasible in their environment

Indicators of Compromise (IOC)

Search for POST requests with unusually large request body sizes (e.g., greater than 100KB). Monitor for sudden spikes in Kibana server CPU utilization, memory consumption, or unresponsiveness coinciding with requests to the enrich policies endpoint. Check system logs for Kibana process crashes or restarts that correlate with suspicious API requests.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26934
Problem Type: CWE-1284 - Improper Validation of Specified Quantity in Input
Impact: CAPEC-153 - Input Data Manipulation

Topic	Replies	Views
Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-13) Security Announcements	1012	February 26, 2026
Kibana 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-20) Security Announcements	748	March 19, 2026
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36) Security Announcements	977	December 18, 2025
Kibana 7.17.23/8.15.0 Security Updates (ESA-2024-32, ESA-2024-33) Security Announcements	2280	January 23, 2025
Kibana 7.17.23/8.14.0 Security Update (ESA-2024-16) Security Announcements	2046	July 30, 2024

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-12)

Related topics