CVE-2026-26936
Regular Expression DoS in Kibana AI Inference Engine
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 8.0.0 (inc) to 8.19.11 (exc) |
| elastic | kibana | From 9.0.0 (inc) to 9.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26936 is an inefficient regular expression complexity vulnerability (CWE-1333) found in the AI Inference Anonymization Engine of Kibana. This vulnerability can lead to a Denial of Service (DoS) attack through Regular Expression Exponential Blowup (CAPEC-492). It occurs when custom anonymization rules use inefficient regex patterns that cause excessive processing time, potentially disrupting the service.
This issue affects Kibana versions 8.x from 8.0.0 through 8.19.10 and 9.x from 9.0.0 through 9.2.4, but only if the Elastic AI Assistant for Security is explicitly enabled by configuring an AI connector and activating the AI Assistant feature. It is not enabled by default.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can exploit inefficient regular expressions in the AI Inference Anonymization Engine to cause exponential blowup in regex processing, which can overwhelm system resources and disrupt the availability of the Kibana service.'}, {'type': 'paragraph', 'content': "This can lead to service downtime or degraded performance, affecting users who rely on Kibana's AI Assistant for Security features."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to inefficient regular expression processing in the AI Inference Anonymization Engine of Kibana when the Elastic AI Assistant for Security is explicitly enabled. Detection involves verifying if the AI Assistant feature is enabled with an AI connector configured (such as OpenAI, Amazon Bedrock, or Elastic Managed LLM) and if custom anonymization rules are in use.
Since the vulnerability arises from inefficient regex processing in custom anonymization rules, detection can focus on checking the Kibana configuration for the AI Assistant feature and the presence of custom anonymization rules.
No specific commands are provided in the available resources to detect exploitation or presence of this vulnerability on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Kibana to versions 8.19.11 or 9.2.5 or later, where the vulnerability is resolved.
If upgrading is not immediately possible, disable all custom anonymization rules via the Security AI settings β Anonymization tab in Kibana. This prevents execution of the vulnerable regex pipeline.
Note that the vulnerability only affects systems where the Elastic AI Assistant for Security is explicitly enabled with an AI connector configured and the AI Assistant feature activated.