CVE-2026-0531 (GCVE-0-2026-0531)

Vulnerability from cvelistv5 – Published: 2026-01-13 21:05 – Updated: 2026-01-13 21:25
VLAI
Title
Allocation of Resources Without Limits or Throttling in Kibana Fleet
Summary
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
Elastic Kibana Affected: 7.10.0 , ≤ 7.17.29 (semver)
Affected: 8.0.0 , ≤ 8.19.9 (semver)
Affected: 9.0.0 , ≤ 9.1.9 (semver)
Affected: 9.2.0 , ≤ 9.2.3 (semver)
Create a notification for this product.
Credits
vultza
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0531",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T21:23:07.464386Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T21:25:44.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kibana",
          "vendor": "Elastic",
          "versions": [
            {
              "lessThanOrEqual": "7.17.29",
              "status": "affected",
              "version": "7.10.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.19.9",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.1.9",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.2.3",
              "status": "affected",
              "version": "9.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "vultza"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T21:05:51.994Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522"
        }
      ],
      "source": {
        "discovery": "Elastic"
      },
      "title": "Allocation of Resources Without Limits or Throttling in Kibana Fleet",
      "x_generator": {
        "engine": "Elastic CVE Publisher 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2026-0531",
    "datePublished": "2026-01-13T21:05:51.994Z",
    "dateReserved": "2025-12-19T15:59:24.984Z",
    "dateUpdated": "2026-01-13T21:25:44.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-0531",
      "date": "2026-06-30",
      "epss": "0.00416",
      "percentile": "0.33303"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-0531\",\"sourceIdentifier\":\"security@elastic.co\",\"published\":\"2026-01-13T21:15:50.990\",\"lastModified\":\"2026-06-17T10:10:53.800\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.\"},{\"lang\":\"es\",\"value\":\"Asignaci\u00f3n de Recursos Sin L\u00edmites o Limitaci\u00f3n (CWE-770) en Kibana Fleet puede conducir a una Asignaci\u00f3n Excesiva (CAPEC-130) a trav\u00e9s de una solicitud de recuperaci\u00f3n masiva especialmente dise\u00f1ada. Esto requiere que un atacante tenga privilegios de bajo nivel equivalentes al rol de visor, que otorga acceso de lectura a las pol\u00edticas de agente. La solicitud dise\u00f1ada puede hacer que la aplicaci\u00f3n realice operaciones redundantes de recuperaci\u00f3n de base de datos que consumen memoria inmediatamente hasta que el servidor se bloquea y deja de estar disponible para todos los usuarios.\"}],\"affected\":[{\"source\":\"security@elastic.co\",\"affectedData\":[{\"vendor\":\"Elastic\",\"product\":\"Kibana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"7.10.0\",\"lessThanOrEqual\":\"7.17.29\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.0.0\",\"lessThanOrEqual\":\"8.19.9\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"9.0.0\",\"lessThanOrEqual\":\"9.1.9\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"9.2.0\",\"lessThanOrEqual\":\"9.2.3\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@elastic.co\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-13T21:23:07.464386Z\",\"id\":\"CVE-2026-0531\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@elastic.co\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.10.0\",\"versionEndExcluding\":\"7.17.29\",\"matchCriteriaId\":\"1863989E-58AD-4481-B872-DF5AC637F854\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.19.10\",\"matchCriteriaId\":\"8707CF69-9922-490B-B64F-38F2D31E2CA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.1.10\",\"matchCriteriaId\":\"FC3281ED-A331-43DC-9705-80A3FA3E6C75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.0\",\"versionEndExcluding\":\"9.2.4\",\"matchCriteriaId\":\"8BF9D6AE-B07F-4516-A684-60B02BF731A0\"}]}]}],\"references\":[{\"url\":\"https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522\",\"source\":\"security@elastic.co\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0531\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-13T21:23:07.464386Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-13T21:25:40.325Z\"}}], \"cna\": {\"title\": \"Allocation of Resources Without Limits or Throttling in Kibana Fleet\", \"source\": {\"discovery\": \"Elastic\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"vultza\"}], \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130 Excessive Allocation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Elastic\", \"product\": \"Kibana\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.10.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.17.29\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.19.9\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.1.9\"}, {\"status\": \"affected\", \"version\": \"9.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.2.3\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522\"}], \"x_generator\": {\"engine\": \"Elastic CVE Publisher 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAllocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"shortName\": \"elastic\", \"dateUpdated\": \"2026-01-13T21:05:51.994Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-0531\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-13T21:25:44.808Z\", \"dateReserved\": \"2025-12-19T15:59:24.984Z\", \"assignerOrgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"datePublished\": \"2026-01-13T21:05:51.994Z\", \"assignerShortName\": \"elastic\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…