Denial of Service Vulnerability in Kibana by Elastic
CVE-2026-42399

6.5MEDIUM

Key Information:

Vendor: Elastic
Status: Kibana
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-42399?

An authenticated low-privileged user in Kibana can exploit a vulnerability that allows them to submit a specially crafted Timelion visualization expression. This expression, containing deeply chained function calls, can cause Kibana to consume large amounts of memory. As the data structure grows uncontrollably, it can lead to memory exhaustion, ultimately resulting in a denial of service where the Kibana service crashes and becomes unavailable for all users.

Affected Version(s)

Kibana 8.0.0 <= 8.19.15

Kibana 9.0.0 <= 9.3.4

References

https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-sec...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42399 Data

JSON