Kibana 8.19.15, 9.3.4 Security Update (ESA-2026-49)

Allocation of Resources Without Limits or Throttling in Kibana Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.

Affected Versions:

  • 8.x: All versions from 8.0.0 up to and including 8.19.14
  • 9.x:
    • All versions from 9.0.0 up to and including 9.3.3
    • (9.4.0 and later not affected)

Affected Configurations:

  • Affects deployments that use the Timeline feature. Exploitation requires an authenticated account with access to Timeline.

Solutions and Mitigations:

The issue is resolved in version 8.19.15, and 9.3.4.

For Users that Cannot Upgrade:

There are no workarounds for this vulnerability.

Indicators of Compromise (IOC)

No specific indicators of compromise have been identified for this vulnerability.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-49087
Problem Type: CWE-770 - Allocation of Resources Without Limits or Throttling
Impact: CAPEC-130 - Excessive Allocation