Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.12
- 9.x:
- All versions from 9.0.0 up to and including 9.2.6
- All versions from 9.3.0 up to and including 9.3.1
Affected Configurations:
The Timelion visualization plugin (visTypeTimelion) is enabled by default in Kibana and is listed under "Legacy editors" in the documentation.
Solutions and Mitigations:
The issue is resolved in version 8.19.13, 9.2.7, 9.3.2.
For Users that Cannot Upgrade:
Self-hosted
Users can set this property in the Kibana config YAML file vis_type_timelion.enabled: false
Cloud
There are no workaround
Indicators of Compromise (IOC)
Look for JavaScript heap out of memory or FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed errors in Kibana server logs, which indicate the Node.js process crashed due to memory exhaustion.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26940
Problem Type: CWE-1284 - Improper Validation of Specified Quantity in Input
Impact: CAPEC-130 - Excessive Allocation