VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 28, 2026

CVE-2026-33464

CVE-2026-33464

Description

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kibana versions prior to 8.19.16, 9.3.5, and 9.4.1 are vulnerable to a denial of service via excessive allocation by an authenticated low-privileged user.

Vulnerability

Kibana versions 8.0.0 through 8.19.15, 9.0.0 through 9.3.4, and 9.4.0 are affected by an uncontrolled resource consumption vulnerability (CWE-400) in an internal API. An authenticated user with a low-privileged role (e.g., Viewer) can submit a specially crafted, oversized payload to this API, triggering excessive memory allocation.

Exploitation

The attacker must have authenticated access to Kibana with at least the Viewer role. No additional privileges are required. The attacker sends a crafted oversized payload to the vulnerable internal API endpoint. The payload causes the Kibana process to allocate excessive resources, leading to resource exhaustion.

Impact

Successful exploitation results in a denial of service condition: the Kibana process becomes unresponsive to all users until the service recovers or is manually restarted. There is no impact on confidentiality or integrity; only availability is affected.

Mitigation

The vulnerability is fixed in Kibana versions 8.19.16, 9.3.5, and 9.4.1 [1]. Users should upgrade to these versions or later. For Elastic Cloud Serverless deployments, the issue was remediated before public disclosure. No workarounds are documented; upgrading is the recommended mitigation.

References
  1. Kibana 8.19.16, 9.3.5, 9.4.1 Security Update (ESA-2026-32)

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Elastic/Kibanainferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: prior to 8.19.16, 9.3.5, 9.4.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.