Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.15
- 9.x:
- All versions from 9.0.0 up to and including 9.3.4
- All versions from 9.4.0 up to and including 9.4.1
Affected Configurations:
- All configurations of Kibana accessible to authenticated users are affected.
Solutions and Mitigations:
The issue is resolved in versions 8.19.16, 9.3.5, and 9.4.2.
For Users that Cannot Upgrade:
- There are no workarounds for this vulnerability.
Indicators of Compromise (IOC)
Users can monitor for unusual spikes in Kibana memory and CPU utilization, unexpected Kibana process crashes or restarts, and an abnormal volume of large compressed requests in Kibana's access logs.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-42400
Problem Type: CWE-400 - Uncontrolled Resource Consumption
Impact: CAPEC-130 - Excessive Allocation