CVE-2026-26936
Received Received - Intake
Regular Expression DoS in Kibana AI Inference Engine

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: Elastic

Description
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26936
EUVD
EUVD-2026-8866
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.11 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26936 is an inefficient regular expression complexity vulnerability (CWE-1333) found in the AI Inference Anonymization Engine of Kibana. This vulnerability can lead to a Denial of Service (DoS) attack through Regular Expression Exponential Blowup (CAPEC-492). It occurs when custom anonymization rules use inefficient regex patterns that cause excessive processing time, potentially disrupting the service.

This issue affects Kibana versions 8.x from 8.0.0 through 8.19.10 and 9.x from 9.0.0 through 9.2.4, but only if the Elastic AI Assistant for Security is explicitly enabled by configuring an AI connector and activating the AI Assistant feature. It is not enabled by default.

Impact Analysis

[{'type': 'paragraph', 'content': 'The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can exploit inefficient regular expressions in the AI Inference Anonymization Engine to cause exponential blowup in regex processing, which can overwhelm system resources and disrupt the availability of the Kibana service.'}, {'type': 'paragraph', 'content': "This can lead to service downtime or degraded performance, affecting users who rely on Kibana's AI Assistant for Security features."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability is related to inefficient regular expression processing in the AI Inference Anonymization Engine of Kibana when the Elastic AI Assistant for Security is explicitly enabled. Detection involves verifying if the AI Assistant feature is enabled with an AI connector configured (such as OpenAI, Amazon Bedrock, or Elastic Managed LLM) and if custom anonymization rules are in use.

Since the vulnerability arises from inefficient regex processing in custom anonymization rules, detection can focus on checking the Kibana configuration for the AI Assistant feature and the presence of custom anonymization rules.

No specific commands are provided in the available resources to detect exploitation or presence of this vulnerability on the network or system.

Mitigation Strategies

The primary mitigation is to upgrade Kibana to versions 8.19.11 or 9.2.5 or later, where the vulnerability is resolved.

If upgrading is not immediately possible, disable all custom anonymization rules via the Security AI settings β†’ Anonymization tab in Kibana. This prevents execution of the vulnerable regex pipeline.

Note that the vulnerability only affects systems where the Elastic AI Assistant for Security is explicitly enabled with an AI connector configured and the AI Assistant feature activated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart