CVE-2026-26940
Received Received - Intake
Denial of Service via Improper Quantity Validation in Kibana Timelion

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: Elastic

Description
Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26940
EUVD
EUVD-2026-13145
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.13 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.7 (exc)
elastic kibana From 9.3.0 (inc) to 9.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26940 is a vulnerability in the Timelion visualization plugin of Kibana that affects multiple versions. It occurs due to improper validation of a specified quantity in the input, allowing an authenticated user to submit a specially crafted Timelion expression.

This crafted expression overwrites internal series data properties with an excessively large quantity value, which causes excessive memory allocation.

As a result, the Node.js process running Kibana crashes due to memory exhaustion, leading to a Denial of Service (DoS).

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) condition by crashing the Kibana server process.

An attacker with authenticated access can exploit this issue to exhaust server memory, causing the Node.js process to fail and making the Kibana service unavailable.

This impacts the availability of the Kibana service, potentially disrupting business operations that rely on it.

  • No confidentiality or integrity impact has been reported.
  • The vulnerability requires low privileges and no user interaction to exploit.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring Kibana server logs for signs of memory exhaustion related to the Timelion plugin. Indicators of compromise include JavaScript heap out of memory errors or fatal allocation failures such as "FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed", which indicate Node.js process crashes due to excessive memory allocation.'}, {'type': 'paragraph', 'content': 'You can check Kibana logs for these errors using commands like:'}, {'type': 'list_item', 'content': "grep -i 'FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed' /path/to/kibana/logs/kibana.log"}, {'type': 'list_item', 'content': "grep -i 'JavaScript heap out of memory' /path/to/kibana/logs/kibana.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the Node.js process for unexpected crashes or high memory usage can help detect exploitation attempts.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Kibana to a fixed version where the vulnerability is resolved. Specifically, upgrade to versions 8.19.13, 9.2.7, or 9.3.2 or later.

If upgrading is not immediately possible and you are running a self-hosted deployment, you can disable the Timelion plugin by adding the following setting to your Kibana configuration YAML file:

  • vis_type_timelion.enabled: false

Note that there is no workaround available for Elastic Cloud users, and Elastic Cloud Serverless environments have already been patched prior to public disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart