CVE-2026-26937
Received Received - Intake
Uncontrolled Resource Consumption in Kibana Timelion Causes DoS

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: Elastic

Description
Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26937
EUVD
EUVD-2026-8872
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.11 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26937 is an Uncontrolled Resource Consumption vulnerability (CWE-400) found in the Timelion component of Kibana. It allows attackers to manipulate input data to cause excessive resource consumption, which can lead to a Denial of Service (DoS) condition.

Timelion is a legacy visualization feature enabled by default in Kibana installations. The vulnerability affects Kibana versions from 8.0.0 up to 8.19.10 and from 9.0.0 up to 9.2.4.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) on your Kibana service. Attackers can exploit the vulnerability by manipulating input data to consume excessive resources, which disrupts the availability of the service.

The CVSS v3.1 score is 6.5, indicating a medium severity with high impact on availability but no impact on confidentiality or integrity.

If you are unable to upgrade to a fixed version, you can mitigate the risk by disabling the Timelion plugin via the configuration setting `vis_type_timelion.enabled: false` in the kibana.yml file, unless you are using Elastic Cloud hosted environments where disabling Timelion is not possible.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves uncontrolled resource consumption in the Timelion component of Kibana, which can lead to Denial of Service via input data manipulation. Detection would involve monitoring for unusual or excessive resource usage related to Timelion visualizations.

Since the vulnerability is triggered by manipulated input data causing high resource consumption, you can check Kibana logs and system resource metrics for spikes or anomalies when Timelion visualizations are accessed.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Kibana to version 8.19.11 or 9.2.5 or later, where the issue is resolved.

If upgrading is not possible and you are a self-managed customer who does not use Timelion visualizations, you can disable the Timelion plugin by setting `vis_type_timelion.enabled: false` in the kibana.yml configuration file.

Note that disabling Timelion is not possible in Elastic Cloud hosted environments, so upgrading to a patched version is strongly recommended in those cases.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26937. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart