Cyber Resilience

CVE-2026-26936

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26936 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Elastic Kibana. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26936 is an Inefficient Regular Expression Complexity vulnerability (CWE-1333) affecting the AI Inference Anonymization Engine in Kibana. Published on 2026-02-26, it enables a Denial of Service through Regular Expression Exponential Blowup (CAPEC-492), where crafted regex inputs trigger excessive computation. The issue carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity primarily due to high availability impact.

An attacker with high privileges (PR:H) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required. By submitting specially crafted input to the AI Inference Anonymization Engine, the attacker triggers exponential backtracking in regex processing, leading to high CPU consumption or service crashes that deny availability to legitimate users.

Elastic's security advisory ESA-2026-14, detailed at https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/385250, addresses the vulnerability in affected Kibana versions including 8.19.1 and 9.2.5 through security updates that mitigate the regex complexity issue. Practitioners should apply these patches promptly to prevent exploitation.

EU & UK References

Vulnerability details

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables DoS via crafted regex input causing exponential backtracking and resource exhaustion in the Kibana app, directly mapping to application/system exploitation for availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26935Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-26938Same product: Elastic Kibana
CVE-2025-25015Same product: Elastic Kibana
CVE-2026-26937Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-42398Same product: Elastic Kibana
CVE-2026-33458Same product: Elastic Kibana
CVE-2024-43707Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana

Affected Assets

elastic
kibana
8.0.0 — 8.19.11 · 9.0.0 — 9.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the inefficient regex flaw in the AI Inference Anonymization Engine.

prevent

Mandates technical controls to detect and throttle resource-exhaustion attempts such as regex exponential blowup before availability is lost.

prevent

Requires validation and sanitization of inputs to the anonymization engine, limiting the ability of crafted regex patterns to trigger catastrophic backtracking.

References