Improper Input Validation in Kibana Leading to Denial of Service
Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
Affected Versions:
- 8.x: All versions from 8.4.0 up to and including 8.19.11
- 9.x:
- All versions from 9.0.0 up to and including 9.2.5
- Version 9.3.0
Affected Configurations:
Users that have not configured Content Connectors are not affected by this vulnerability, as the vulnerable endpoint is only accessible when connectors exist in the deployment.
Solutions and Mitigations:
The issue is resolved in version 8.19.12, 9.2.6, 9.3.1.
For Users that Cannot Upgrade:
Restrict Access to Content Connectors:
Modify user roles to remove access to the Content Connectors feature for users who do not require it. This can be accomplished by:
- Creating custom roles that exclude Kibana privileges for Content Connectors
- Removing the viewer role from users who do not need Content Connectors access
- Implementing more granular feature-level privileges
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) -CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26935
Problem Type: CWE-20 - Improper Input Validation
Impact: CAPEC-153 - Input Data Manipulation