CVE-2026-42399

Vulnerability

An authenticated low-privileged user can submit a specially crafted Timelion visualization expression containing deeply chained function calls to Kibana versions 8.0.0 through 8.19.15 and 9.0.0 through 9.3.4 [1]. The expression parser and data generation logic do not limit the nesting depth or resultant data structure size, leading to exponential memory consumption [CWE-400] [1]. This behavior is classified as an uncontrolled resource consumption vulnerability (CAPEC-130) [1].

Exploitation

The attacker requires only a valid low-privileged session on any Kibana deployment where the Timelion visualization feature is accessible [1]. No elevated privileges, special network position, or user interaction beyond the attacker's own actions are needed [1]. The attacker crafts a Timelion expression with deeply nested function calls and submits it (e.g., by saving or previewing a visualization). The server processes the expression without pruning or bounding the recursion, expanding the data structure until available memory is exhausted [1].

Impact

Successful exploitation forces the Kibana service to crash due to memory exhaustion, making Kibana unavailable to all users [1]. No data is compromised (no confidentiality or integrity loss), but the denial of service persists until the service is restarted [1]. The CVSS v3.1 score is 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [1].

Mitigation

The vulnerability is fixed in Kibana versions 8.19.16 and 9.3.5 [1]. Users should upgrade to these releases or later. For Elastic Cloud Serverless environments, the fix was automatically deployed before public disclosure [1]. No other workarounds are documented; limiting Timelion access to trusted users may reduce risk but is not a complete mitigation.