vulnerability

Elastic Kibana: CVE-2026-0531: Allocation of Resources Without Limits or Throttling

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:N/I:N/A:C)	Jan 13, 2026	Jan 14, 2026	Jan 26, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:N/A:C)

Published

Jan 13, 2026

Added

Jan 14, 2026

Modified

Jan 26, 2026

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

Solution

elastic-kibana-upgrade-latest

References

CWE-770
CVE-2026-0531
https://attackerkb.com/topics/CVE-2026-0531
URL-https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today