CVE-2026-26936
Published: 26 February 2026
Summary
CVE-2026-26936 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Elastic Kibana. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26936 is an Inefficient Regular Expression Complexity vulnerability (CWE-1333) affecting the AI Inference Anonymization Engine in Kibana. Published on 2026-02-26, it enables a Denial of Service through Regular Expression Exponential Blowup (CAPEC-492), where crafted regex inputs trigger excessive computation. The issue carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity primarily due to high availability impact.
An attacker with high privileges (PR:H) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required. By submitting specially crafted input to the AI Inference Anonymization Engine, the attacker triggers exponential backtracking in regex processing, leading to high CPU consumption or service crashes that deny availability to legitimate users.
Elastic's security advisory ESA-2026-14, detailed at https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-14/385250, addresses the vulnerability in affected Kibana versions including 8.19.1 and 9.2.5 through security updates that mitigate the regex complexity issue. Practitioners should apply these patches promptly to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8866
Vulnerability details
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables DoS via crafted regex input causing exponential backtracking and resource exhaustion in the Kibana app, directly mapping to application/system exploitation for availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that remediate the inefficient regex flaw in the AI Inference Anonymization Engine.
Mandates technical controls to detect and throttle resource-exhaustion attempts such as regex exponential blowup before availability is lost.
Requires validation and sanitization of inputs to the anonymization engine, limiting the ability of crafted regex patterns to trigger catastrophic backtracking.