← Back

CVE-2026-0531

nvd nist
Published: Jan 13, 2026Modified: Jan 22, 2026

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Exploitability: 2.8 / Impact: 3.6
Source: security@elastic.co (Secondary)

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

Affected (4)

Products: Elastic: Kibana
Elastic
1 product
Kibana
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Elastic
Kibana
From 7.10.0 to 7.17.29
Kibana
From 8.0.0 to 8.19.10
Kibana
From 9.0.0 to 9.1.10
Kibana
From 9.2.0 to 9.2.4

Related CWEs

CWE-770
Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (1)

Source: security@elastic.co
Vendor Advisory

Timeline

No history available yet.