Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2026-0531

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

Published

2026-01-13T21:15:50.990

Last Modified

2026-01-22T19:59:54.277

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	kibana	< 7.17.29	Yes
Application	elastic	kibana	< 8.19.10	Yes
Application	elastic	kibana	< 9.1.10	Yes
Application	elastic	kibana	< 9.2.4	Yes

References

https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522 Vendor Advisory ([email protected])