Cyber Resilience

CVE-2026-26937

MediumDDoS

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 20.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26937 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Elastic Kibana. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26937 is an uncontrolled resource consumption vulnerability (CWE-400) affecting the Timelion component in Kibana. Published on 2026-02-26, it enables denial of service through input data manipulation (CAPEC-153). The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An attacker requires low privileges to exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation results in high-impact denial of service via resource exhaustion, with no effects on confidentiality or integrity.

Elastic's security advisory ESA-2026-15, available at https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251, addresses the vulnerability with updates for Kibana versions including 8.19.1 and 9.2.5.

EU & UK References

Vulnerability details

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Uncontrolled resource consumption (CWE-400) via crafted input in Kibana Timelion directly enables application-layer resource exhaustion DoS by an authenticated network attacker.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26935Same product: Elastic Kibana
CVE-2024-43707Same product: Elastic Kibana
CVE-2025-25015Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-42398Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana
CVE-2026-26938Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-33458Same product: Elastic Kibana
CVE-2026-26936Same product: Elastic Kibana

Affected Assets

elastic
kibana
8.0.0 — 8.19.11 · 9.0.0 — 9.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits effects of resource-exhaustion DoS attacks against network-accessible components such as Timelion.

prevent

Requires validation of all inputs to block the CAPEC-153 data-manipulation payloads that trigger uncontrolled consumption.

prevent

Protects availability of system resources so that a single malicious Timelion request cannot starve the service.

References