CVE-2026-26937
Published: 26 February 2026
Summary
CVE-2026-26937 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Elastic Kibana. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26937 is an uncontrolled resource consumption vulnerability (CWE-400) affecting the Timelion component in Kibana. Published on 2026-02-26, it enables denial of service through input data manipulation (CAPEC-153). The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An attacker requires low privileges to exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation results in high-impact denial of service via resource exhaustion, with no effects on confidentiality or integrity.
Elastic's security advisory ESA-2026-15, available at https://discuss.elastic.co/t/kibana-8-19-11-9-2-5-security-update-esa-2026-15/385251, addresses the vulnerability with updates for Kibana versions including 8.19.1 and 9.2.5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8872
Vulnerability details
Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uncontrolled resource consumption (CWE-400) via crafted input in Kibana Timelion directly enables application-layer resource exhaustion DoS by an authenticated network attacker.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly limits effects of resource-exhaustion DoS attacks against network-accessible components such as Timelion.
Requires validation of all inputs to block the CAPEC-153 data-manipulation payloads that trigger uncontrolled consumption.
Protects availability of system resources so that a single malicious Timelion request cannot starve the service.