MEDIUM 6.5

CVE-2026-49094: Kibana Denial of Service via Uncontrolled Resource Consumption

A vulnerability in Kibana allows authenticated users with basic viewer access to cause the service to become unavailable by submitting specially crafted requests to analytics collection endpoints. When Kibana processes these requests, it exhausts system CPU and memory resources, forcing administrators to manually restart the service to restore availability. The attacker does not need elevated permissions—standard viewer-level credentials are sufficient to trigger the denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49094 is an uncontrolled resource consumption flaw (CWE-400) affecting Kibana's analytics collections management functionality. An authenticated user can craft a request with an oversized input value directed at specific analytics endpoints, causing the application to allocate excessive CPU and memory during request processing. The lack of input validation or resource limits on these endpoints allows a single malicious request to degrade performance to the point of complete service unavailability. Recovery requires manual intervention, typically a service restart.

Business impact

This vulnerability creates a denial-of-service vector that directly impacts operational continuity. Organizations relying on Kibana for log analysis, security monitoring, or observability face potential service interruptions initiated by any user with viewer credentials—a permission level commonly granted across teams. Unlike infrastructure-level DoS attacks, this can be triggered by internal users without specialized network access, making it both an insider-risk concern and a potential escalation path for compromised low-privilege accounts. Unscheduled downtime disrupts incident response workflows and obscures critical operational visibility during active investigations.

Affected systems

Elastic Kibana is the affected product. The vulnerability is exposure-specific to authentication-enabled deployments where viewer-level access is distributed. Air-gapped or single-user Kibana instances face lower practical risk, though still remain technically vulnerable if internal access is compromised. Verify the exact affected version range against the Elastic security advisory.

Exploitability

Exploitability is moderate. The attack requires valid authentication credentials at viewer level—a common permission tier—but does not require privilege escalation or complex manipulation. Exploitation is trivial once credentials are obtained; a single HTTP request can trigger the condition. There is no evidence of public exploit code or active exploitation in the wild at this time (KEV status: not listed). However, the straightforward nature of the attack and the prevalence of viewer accounts increase the likelihood of opportunistic abuse if the vulnerability becomes widely known.

Remediation

Patch Kibana to a version addressing this resource consumption issue. Verify the specific patch version against the official Elastic security advisory for your deployment. Until patching is possible, implement compensating controls: restrict viewer-level access to only users who require it, monitor analytics collection endpoint request sizes and processing times, and configure resource limits or rate-limiting at the reverse proxy or load balancer level to prevent individual requests from consuming excessive resources. Implement alerting on abnormal CPU/memory spikes tied to Kibana processes.

Patch guidance

Contact Elastic for the patched version applicable to your Kibana release line. Apply patches during a maintenance window, ensuring you have a tested rollback plan. After patching, validate that analytics collection endpoints respond normally to legitimate requests and monitor the first 48 hours of operation for any regression. In high-availability deployments, apply patches in a rolling fashion to minimize user impact.

Detection guidance

Monitor Kibana process CPU and memory utilization for sudden, unexplained spikes correlated with HTTP requests to analytics collection management endpoints. Log ingestion from Kibana access logs can identify requests with unusually large or malformed input parameters. Network-based detection is challenging without deep packet inspection, but anomalously large POST/PUT payloads to `/api/` or similar management paths merit investigation. Establish baseline metrics for normal analytics collection request sizes and alert on deviations. Review authentication logs for viewer-level account activity during or preceding performance degradation events.

Why prioritize this

Although the CVSS score of 6.5 (MEDIUM) reflects the availability impact, the low barrier to exploitation (viewer credentials, no complex steps), the ease of weaponization (single request), and the direct operational impact warrant prioritized attention. The vulnerability does not require network-layer access or privilege escalation, making it more likely to be exploited in practice than higher-scored flaws. Organizations should treat this as a near-term remediation priority, particularly in environments where viewer access is widely distributed or where log availability is mission-critical.

Risk score, explained

The CVSS:3.1 score of 6.5 reflects a MEDIUM severity rating based on the network vector (AV:N), low attack complexity (AC:L), requirement for low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). The presence of an authentication requirement (PR:L) and absence of cascading integrity or confidentiality risks prevent a higher score, but the complete availability impact within the system scope justifies the MEDIUM classification.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires valid authentication credentials with at least viewer-level permissions. However, viewer access is typically permissive in Kibana environments, and compromised credentials at this level would be sufficient to trigger the denial of service.

What is the difference between this and a network-level DoS attack?

This is an application-layer DoS initiated by a single authenticated request, not a flood attack. An attacker does not need to saturate network pipes or coordinate distributed traffic; one malformed request to an internal endpoint can render the service unavailable, making it easier to exploit with minimal detection risk.

Will patching alone prevent all future exploitation?

Patching is the primary mitigation. However, organizations should also review access control policies to minimize the distribution of viewer-level credentials and implement rate-limiting or input validation at the reverse proxy or API gateway layer as defense-in-depth measures.

Is there a workaround if we cannot patch immediately?

While a complete workaround does not exist, you can reduce risk by restricting viewer access to only essential personnel, implementing resource limits on Kibana process threads, and enabling detailed logging and alerting on analytics collection endpoint access patterns to detect potential exploitation attempts.

This analysis is for informational and defensive security purposes. SEC.co does not provide or endorse any exploitation techniques. Patch versions, affected version ranges, and specific technical details must be verified against the official Elastic security advisory before deployment. This summary reflects information available at the time of publication; advisories and remediation guidance may be updated by the vendor. Organizations should conduct their own risk assessment and testing before applying patches or deploying compensating controls in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).