CVE-2026-0543
Improper Input Validation in Kibana Email Connector Causes DoS
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 8.0.0 (inc) to 8.19.9 (inc) |
| elastic | kibana | From 9.0.0 (inc) to 9.1.9 (inc) |
| elastic | kibana | From 9.2.0 (inc) to 9.2.3 (inc) |
| elastic | kibana | 8.19.10 |
| elastic | kibana | 9.1.10 |
| elastic | kibana | 9.2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Input Validation issue in Kibana's Email Connector. It allows an attacker with authenticated view-level privileges to cause excessive memory allocation by providing a specially crafted email address parameter. This leads to the application attempting to process the malformed email format, resulting in complete service unavailability until a manual restart is performed.
How can this vulnerability impact me? :
The vulnerability can cause complete service unavailability for all users of Kibana until the service is manually restarted. This denial of service can disrupt operations and access to the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only trusted users have authenticated access with view-level privileges to execute connector actions. Monitor and restrict the use of the Email Connector to prevent processing of specially crafted email addresses. If service unavailability occurs, perform a manual restart of the Kibana service to restore availability.