CVE-2026-42400: Kibana Denial of Service via Uncontrolled Resource Consumption
CVE-2026-42400 is a denial-of-service vulnerability in Kibana that allows an authenticated user to crash or freeze a Kibana instance by sending a malicious compressed request. The vulnerability exists because Kibana processes and decompresses incoming requests before fully validating user permissions, meaning an attacker can consume excessive memory and CPU resources on the server before authorization checks can stop them. While this requires valid credentials to exploit, the impact is straightforward: a Kibana instance can become unresponsive or crash entirely, disrupting visibility and analysis capabilities that teams depend on.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is an uncontrolled resource consumption vulnerability (CWE-400) stemming from improper sequencing of security checks in Kibana's request handling pipeline. An authenticated attacker crafts a specially compressed payload that triggers excessive decompression and processing before the application reaches authorization enforcement. The early processing of untrusted compressed data without resource limits allows an attacker to allocate memory and CPU cycles disproportionately, exhausting server capacity. The vulnerability is network-accessible and requires only valid authentication credentials—no user interaction is needed. The CVSS 3.1 score of 6.5 (Medium) reflects that availability is severely impacted while confidentiality and integrity remain unaffected.
Business impact
Kibana outages directly impact security operations, observability, and incident response. When a Kibana instance becomes unresponsive or crashes due to this vulnerability, analysts lose real-time access to logs, metrics, and security events. For organizations using Kibana as their primary analytics platform, even a brief denial of service can blind SOCs to ongoing threats, delay incident detection, and complicate forensics. An authenticated attacker—whether a compromised internal account or a malicious insider—can weaponize this to disrupt operations precisely when visibility matters most. Recovery requires manual restart, and in multi-tenant or clustered environments, the blast radius could extend across multiple users or systems.
Affected systems
All versions of Elastic Kibana are potentially affected by this vulnerability, though the specific affected version range should be confirmed against Elastic's official security advisory. Organizations running Kibana as part of their Elastic Stack deployment are in scope. The vulnerability requires valid Kibana authentication credentials, so public internet-facing instances without proper access controls or those with weak credential management face elevated risk.
Exploitability
This vulnerability is moderately exploitable. It requires valid authentication credentials, which raises the bar compared to unauthenticated DoS attacks but is still achievable for attackers who have obtained legitimate user accounts or compromised internal users. Crafting the malicious compressed payload requires moderate technical knowledge of Kibana's request format and compression handling, but the attack itself is straightforward to execute once understood. No complex exploitation techniques or race conditions are involved. The lack of a public exploit or KEV listing suggests active exploitation is not yet widespread, but the simplicity of the attack means the threat level could escalate rapidly if proof-of-concept code is published.
Remediation
Organizations should prioritize patching Kibana to a version that implements proper resource limits and moves authorization checks before request processing and decompression. Consult Elastic's official security advisory for the specific patched version applicable to your deployed version. As an interim control, network-level rate limiting on Kibana endpoints can reduce the window for resource exhaustion attacks. Restricting Kibana access to trusted internal networks and enforcing strong authentication (MFA where available) reduces the likelihood that an attacker can obtain valid credentials needed to exploit this vulnerability.
Patch guidance
Check Elastic's official security advisories and release notes to identify which Kibana version addresses this vulnerability. Patch testing should validate that request processing handles compression safely and that authorization checks occur before resource-intensive operations. Apply patches in a test environment first to ensure compatibility with your Kibana configuration, custom plugins, and connected data sources. Coordinate patching during a maintenance window to avoid disrupting ongoing monitoring, or perform rolling updates in clustered Kibana deployments to maintain availability. Verify patch installation by checking Kibana's version reporting endpoint after upgrade.
Detection guidance
Monitor Kibana logs for repeated error messages or warnings related to request processing failures, decompression errors, or resource exhaustion events. Watch for sudden spikes in memory usage or CPU consumption that correlate with specific API requests or user activity. Implement alerting on Kibana node crashes or unresponsiveness, as these may indicate ongoing exploitation. Network-level detection can flag unusual compression patterns or oversized request payloads sent to Kibana endpoints from authenticated users. Consider baselines for normal resource consumption patterns within your environment and alert on anomalies that suggest resource-exhaustion attacks.
Why prioritize this
Although rated CVSS 6.5 (Medium), this vulnerability warrants prompt attention because it directly impacts operational security. Unlike vulnerabilities that affect data confidentiality or integrity indirectly, this DoS attack immediately disables a critical security tool. The authentication requirement does moderate risk compared to unauthenticated DoS attacks, but organizations relying on Kibana for real-time threat detection should treat this as a higher operational priority. The lack of KEV listing indicates this is not yet a widespread, targeted attack vector, providing a window to patch before threat actors adapt. In environments with strong access controls and limited internal user bases, risk is lower; in organizations with more permissive credential sharing or compromised user accounts, risk is higher.
Risk score, explained
The CVSS 6.5 score reflects a Medium severity rating driven by high availability impact (the attack causes crashes or unresponsiveness) but no direct impact to confidentiality or integrity. The attack requires network access and valid authentication credentials, which are limiting factors compared to unauthenticated network attacks. The low complexity of crafting and executing the attack once authenticated keeps the score from being lower. Organizations with strict access controls and multi-factor authentication on Kibana should view this as lower risk; those with weaker credential hygiene should view it as closer to High priority operationally, even if the CVSS score remains Medium.
Frequently asked questions
Do we need valid Kibana credentials to exploit this vulnerability?
Yes. This is an authenticated vulnerability, so an attacker must possess valid Kibana login credentials or compromise a legitimate user account to exploit it. This is a significant barrier compared to unauthenticated network attacks, but credential theft or insider threats remain realistic scenarios in many environments.
Is this vulnerability actively being exploited in the wild?
No—it is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update, indicating active exploitation in the wild has not been documented. However, this does not guarantee future exploitation will not occur, especially if public proof-of-concept code becomes available.
Can this attack impact other systems connected to Kibana, or is it limited to the Kibana instance itself?
The attack primarily targets the Kibana instance itself, causing it to become unresponsive or crash. However, if Kibana is part of a larger Elastic Stack or cluster, the operational impact may cascade—for example, if other systems depend on Kibana's availability for log analysis or if Kibana's crash triggers failover scenarios. The attack does not directly compromise data in Elasticsearch or other connected services.
What should we do if we cannot patch immediately?
Implement compensating controls: enforce multi-factor authentication on Kibana, restrict network access to trusted internal networks only, implement rate limiting and connection limits at the network or reverse-proxy level, and strengthen monitoring for signs of resource exhaustion. Prioritize patching as soon as your maintenance window and testing processes allow.
This analysis is provided for informational purposes and should not be considered a complete security assessment. Organizations should verify all technical details, affected version ranges, and patch availability directly against Elastic's official security advisories and their specific deployment configurations. The absence of a vulnerability from CISA's KEV catalog does not guarantee it is not being exploited; threat landscape and exploitation status can change rapidly. Coordinate all patching and remediation activities with your change management and incident response procedures. SEC.co and this analysis are not liable for damages resulting from actions taken or omitted based on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-33464MEDIUMKibana Denial of Service via Resource Exhaustion
- CVE-2026-42399MEDIUMKibana Denial of Service via Timelion Expression Overflow
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability