Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.15
- 9.x:
- All versions from 9.0.0 up to and including 9.3.4
- Version 9.4.0
Affected Configurations:
- All Kibana deployments where untrusted users hold authenticated access at the Viewer role or higher are affected.
Solutions and Mitigations:
The issue is resolved in Kibana version 8.19.16, 9.3.5, 9.4.1
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-33464
Problem Type: CWE-400 - Uncontrolled Resource Consumption
Impact: CAPEC-130 - Excessive Allocation