CVE-2026-26936

Medium

Published: 26 February 2026

Published

26 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 23.8th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26936 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Elastic Kibana. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables DoS via crafted regex input causing exponential backtracking and resource exhaustion in the Kibana app, directly mapping to application/system exploitation for availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

Deeper analysisAI

CVE-2026-26936 is an Inefficient Regular Expression Complexity vulnerability (CWE-1333) affecting the AI Inference Anonymization Engine in Kibana. Published on 2026-02-26, it enables a Denial of Service through Regular Expression Exponential Blowup (CAPEC-492), where crafted regex inputs trigger excessive computation. The issue carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity primarily due to high availability impact.

An attacker with high privileges (PR:H) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required. By submitting specially crafted input to the AI Inference Anonymization Engine, the attacker triggers exponential backtracking in regex processing, leading to high CPU consumption or service crashes that deny availability to legitimate users.

Elastic's security advisory ESA-2026-14, detailed at https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/385250, addresses the vulnerability in affected Kibana versions including 8.19.1 and 9.2.5 through security updates that mitigate the regex complexity issue. Practitioners should apply these patches promptly to prevent exploitation.

Details

CWE(s): CWE-1333

Affected Products

elastic

kibana

8.0.0 — 8.19.11 · 9.0.0 — 9.2.5

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-26935Same product: Elastic Kibana

CVE-2026-0528Same product: Elastic Kibana

CVE-2026-4498Same product: Elastic Kibana

CVE-2026-33458Same product: Elastic Kibana

CVE-2024-43707Same product: Elastic Kibana

CVE-2025-25015Same product: Elastic Kibana

CVE-2026-26937Same product: Elastic Kibana

CVE-2026-26938Same product: Elastic Kibana

CVE-2026-33461Same product: Elastic Kibana

CVE-2024-12720Shared CWE-1333

References

https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/385250
Vendor Advisory · security@elastic.co