CVE-2026-42399: Kibana Denial of Service via Timelion Expression Overflow
A vulnerability in Kibana allows authenticated users with basic access to crash the application by uploading specially crafted visualizations. An attacker submits a Timelion visualization with deeply nested function calls that causes Kibana to allocate memory without limit, eventually consuming all available RAM and taking the service offline for everyone. This is a denial-of-service attack that requires valid credentials but no administrative privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42399 is an uncontrolled resource consumption vulnerability (CWE-400) affecting Elastic Kibana. The vulnerability exists in the Timelion visualization engine, which fails to properly bound memory allocation when processing expressions containing excessive levels of chained function calls. An authenticated user can craft a malicious visualization expression that generates a data structure of exponential size. The unchecked recursion or nesting causes the Kibana process to exhaust available heap memory, triggering an out-of-memory condition and service crash. The attack vector is network-accessible, requires low-privilege authentication, and does not require user interaction to execute.
Business impact
Successful exploitation results in denial of service affecting all Kibana users in an affected environment. Analytics, log analysis, and dashboard visibility are unavailable until the service is manually restarted. For organizations using Kibana for security operations, real-time visibility into events is lost during the outage, creating potential blind spots for threat detection. Recovery requires manual intervention, potentially extending downtime. The attack surface includes any authenticated user—including service accounts with minimal privileges—reducing the barrier to exploitation.
Affected systems
Elastic Kibana is affected. The vulnerability is specific to the Timelion visualization feature. Organizations running Kibana as part of the Elastic Stack (formerly ELK Stack) are at risk. Verify the specific affected version range against the Elastic security advisory, as the source data does not specify version boundaries.
Exploitability
Exploitability is moderate. The attack requires valid authentication credentials, which constrains the attack to insider threats or accounts obtained through credential compromise. No user interaction is required once the crafted visualization is submitted. The low barrier to execution—simply uploading a visualization—means that any authenticated user, regardless of privilege level, can trigger the denial of service. Public exploit code has not been identified in known exploit databases as of the advisory date.
Remediation
Apply the security patch provided by Elastic for Kibana. Organizations should prioritize patching based on their exposure to untrusted users with Kibana access. As an interim mitigation, restrict Timelion visualization creation and editing to trusted users, or disable Timelion entirely if not required. Monitor Kibana process memory usage and implement automatic alerting if memory consumption spikes unexpectedly.
Patch guidance
Refer to the official Elastic security advisory for the specific patched version that addresses CVE-2026-42399. Patches are typically released for active maintenance branches; verify your version against the advisory to identify the upgrade path. Test patches in a non-production environment before deploying to production Kibana clusters. Patching may require a service restart depending on your Kibana deployment model.
Detection guidance
Monitor Kibana process memory consumption for unexplained spikes, particularly after visualization creation or modification events. Log authentication events combined with Timelion visualization submissions from unusual or lower-privileged accounts. Implement alerting on Kibana service crashes or out-of-memory errors. If possible, instrument Timelion expression parsing to detect pathologically nested or deeply chained function calls before execution.
Why prioritize this
This vulnerability merits prompt attention despite its MEDIUM CVSS score because it enables any authenticated user to disrupt critical analytics infrastructure. The low barrier to exploitation and high operational impact make it a priority for environments where Kibana availability is essential to security operations or business intelligence workflows. Insider threat and credential compromise scenarios elevate risk.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects the requirement for authentication (PR:L) and the lack of confidentiality or integrity impact (C:N/I:N). The score emphasizes availability impact (A:H), recognizing that complete denial of service is possible. The network-accessible vector (AV:N) and low attack complexity (AC:L) increase the score relative to a purely local vulnerability. Organizations dependent on Kibana for operational visibility may consider this functionally higher-risk than the base CVSS suggests.
Frequently asked questions
Who can exploit this vulnerability?
Any user with valid Kibana credentials, including those with minimal privileges, can exploit this vulnerability. It does not require administrative or superuser rights, making it accessible to service accounts, read-only users, or any authenticated principal.
Can this be exploited remotely?
Yes. The attack is delivered over the network via visualization upload to Kibana. It does not require local system access and can be executed from any network location with connectivity to Kibana.
What happens during an attack?
The attacker submits a Timelion visualization containing deeply chained function calls. Kibana allocates memory to process the expression, and the memory allocation grows without bound. When available memory is exhausted, the Kibana process crashes, taking the service offline for all users until manually restarted.
Is there a workaround if we cannot patch immediately?
Yes. Restrict Timelion visualization creation and editing to a small set of trusted users via role-based access controls. Monitor Kibana memory usage and implement auto-restart policies. If Timelion is not used, consider disabling the feature entirely. These are temporary measures; patching should be prioritized.
This analysis is provided for informational purposes to support security decision-making. CVE-2026-42399 details are based on publicly available advisory data as of the modification date. Organizations should verify affected product versions, patch availability, and compatibility requirements against the official Elastic security advisory before applying fixes. SEC.co makes no representations regarding the completeness, accuracy, or fitness for any particular purpose of this intelligence. Consult your vendor and internal security teams for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-33464MEDIUMKibana Denial of Service via Resource Exhaustion
- CVE-2026-42400MEDIUMKibana Denial of Service via Uncontrolled Resource Consumption
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability