CVE-2026-0543
Unknown Unknown - Not Provided
Improper Input Validation in Kibana Email Connector Causes DoS

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Elastic

Description
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0543
EUVD
EUVD-2026-2035
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.9 (inc)
elastic kibana From 9.0.0 (inc) to 9.1.9 (inc)
elastic kibana From 9.2.0 (inc) to 9.2.3 (inc)
elastic kibana 8.19.10
elastic kibana 9.1.10
elastic kibana 9.2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Input Validation issue in Kibana's Email Connector. It allows an attacker with authenticated view-level privileges to cause excessive memory allocation by providing a specially crafted email address parameter. This leads to the application attempting to process the malformed email format, resulting in complete service unavailability until a manual restart is performed.

Impact Analysis

The vulnerability can cause complete service unavailability for all users of Kibana until the service is manually restarted. This denial of service can disrupt operations and access to the application.

Mitigation Strategies

To mitigate this vulnerability, ensure that only trusted users have authenticated access with view-level privileges to execute connector actions. Monitor and restrict the use of the Email Connector to prevent processing of specially crafted email addresses. If service unavailability occurs, perform a manual restart of the Kibana service to restore availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart