CVE-2026-26936
Received Received - Intake

Regular Expression DoS in Kibana AI Inference Engine

Vulnerability report for CVE-2026-26936, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: Elastic

Description

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-07-06
AI Q&A
2026-02-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.11 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-26936 is an inefficient regular expression complexity vulnerability (CWE-1333) found in the AI Inference Anonymization Engine of Kibana. This vulnerability can lead to a Denial of Service (DoS) attack through Regular Expression Exponential Blowup (CAPEC-492). It occurs when custom anonymization rules use inefficient regex patterns that cause excessive processing time, potentially disrupting the service.

This issue affects Kibana versions 8.x from 8.0.0 through 8.19.10 and 9.x from 9.0.0 through 9.2.4, but only if the Elastic AI Assistant for Security is explicitly enabled by configuring an AI connector and activating the AI Assistant feature. It is not enabled by default.

Impact Analysis

[{'type': 'paragraph', 'content': 'The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can exploit inefficient regular expressions in the AI Inference Anonymization Engine to cause exponential blowup in regex processing, which can overwhelm system resources and disrupt the availability of the Kibana service.'}, {'type': 'paragraph', 'content': "This can lead to service downtime or degraded performance, affecting users who rely on Kibana's AI Assistant for Security features."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability is related to inefficient regular expression processing in the AI Inference Anonymization Engine of Kibana when the Elastic AI Assistant for Security is explicitly enabled. Detection involves verifying if the AI Assistant feature is enabled with an AI connector configured (such as OpenAI, Amazon Bedrock, or Elastic Managed LLM) and if custom anonymization rules are in use.

Since the vulnerability arises from inefficient regex processing in custom anonymization rules, detection can focus on checking the Kibana configuration for the AI Assistant feature and the presence of custom anonymization rules.

No specific commands are provided in the available resources to detect exploitation or presence of this vulnerability on the network or system.

Mitigation Strategies

The primary mitigation is to upgrade Kibana to versions 8.19.11 or 9.2.5 or later, where the vulnerability is resolved.

If upgrading is not immediately possible, disable all custom anonymization rules via the Security AI settings β†’ Anonymization tab in Kibana. This prevents execution of the vulnerable regex pipeline.

Note that the vulnerability only affects systems where the Elastic AI Assistant for Security is explicitly enabled with an AI connector configured and the AI Assistant feature activated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart