Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.15
- 9.x: All versions from 9.0.0 up to and including 9.3.4
Affected Configurations:
- All Kibana deployments (self-managed and Elastic Cloud Hosted) where authenticated users have access to the Timelion visualization feature are affected.
Solutions and Mitigations:
The issue is resolved in versions 8.19.16, and 9.3.5.
Elastic Cloud Serverless
Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.
Severity: CVSSv3.1: Medium ( 6.5 ) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-42399
Problem Type: CWE-400 - Uncontrolled Resource Consumption
Impact: CAPEC-130 - Excessive Allocation