CVE-2026-0528

Medium

Published: 13 January 2026

Published

13 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0528 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Elastic Kibana. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The CVE describes exploitation of input validation flaws in Metricbeat to crash the process via crafted network payloads, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally,…

Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

Deeper analysisAI

CVE-2026-0528 is an Improper Validation of Array Index vulnerability (CWE-129) in Metricbeat's Graphite server metricset and Zookeeper server metricset, along with an Improper Input Validation issue (CWE-20) in the Prometheus helper module. These flaws affect Metricbeat, a component of the Elastic Stack used for collecting and shipping metrics. Published on 2026-01-13, the vulnerability has a CVSS v3.1 base score of 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating medium severity with high availability impact but no confidentiality or integrity effects.

An attacker with adjacent network access can exploit these issues without privileges or user interaction by sending specially crafted, malformed payloads to the Graphite or Zookeeper server metricsets, or malformed metric data to the Prometheus helper module. This enables a Denial of Service (DoS) through input data manipulation (CAPEC-153), potentially crashing the affected Metricbeat instance and disrupting metric collection.

Elastic's security advisory at https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 details a security update for Metricbeat versions including 8.19.1, 10.9.1, and 10.9.2.4, providing patches to mitigate the vulnerabilities.

Details

CWE(s): CWE-129

Affected Products

elastic

kibana

7.0.0 — 7.17.29 · 8.0.0 — 8.19.10 · 9.0.0 — 9.1.10

CVEs Like This One

CVE-2026-26935Same product: Elastic Kibana

CVE-2026-26936Same product: Elastic Kibana

CVE-2026-4498Same product: Elastic Kibana

CVE-2026-33458Same product: Elastic Kibana

CVE-2025-25015Same product: Elastic Kibana

CVE-2026-26937Same product: Elastic Kibana

CVE-2026-26938Same product: Elastic Kibana

CVE-2026-33461Same product: Elastic Kibana

CVE-2024-43707Same product: Elastic Kibana

CVE-2026-33281Shared CWE-129

References

https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519
Vendor Advisory · security@elastic.co