CVE-2026-26940
Denial of Service via Improper Quantity Validation in Kibana Timelion
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 8.0.0 (inc) to 8.19.13 (exc) |
| elastic | kibana | From 9.0.0 (inc) to 9.2.7 (exc) |
| elastic | kibana | From 9.3.0 (inc) to 9.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26940 is a vulnerability in the Timelion visualization plugin of Kibana that affects multiple versions. It occurs due to improper validation of a specified quantity in the input, allowing an authenticated user to submit a specially crafted Timelion expression.
This crafted expression overwrites internal series data properties with an excessively large quantity value, which causes excessive memory allocation.
As a result, the Node.js process running Kibana crashes due to memory exhaustion, leading to a Denial of Service (DoS).
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) condition by crashing the Kibana server process.
An attacker with authenticated access can exploit this issue to exhaust server memory, causing the Node.js process to fail and making the Kibana service unavailable.
This impacts the availability of the Kibana service, potentially disrupting business operations that rely on it.
- No confidentiality or integrity impact has been reported.
- The vulnerability requires low privileges and no user interaction to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring Kibana server logs for signs of memory exhaustion related to the Timelion plugin. Indicators of compromise include JavaScript heap out of memory errors or fatal allocation failures such as "FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed", which indicate Node.js process crashes due to excessive memory allocation.'}, {'type': 'paragraph', 'content': 'You can check Kibana logs for these errors using commands like:'}, {'type': 'list_item', 'content': "grep -i 'FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed' /path/to/kibana/logs/kibana.log"}, {'type': 'list_item', 'content': "grep -i 'JavaScript heap out of memory' /path/to/kibana/logs/kibana.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the Node.js process for unexpected crashes or high memory usage can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kibana to a fixed version where the vulnerability is resolved. Specifically, upgrade to versions 8.19.13, 9.2.7, or 9.3.2 or later.
If upgrading is not immediately possible and you are running a self-hosted deployment, you can disable the Timelion plugin by adding the following setting to your Kibana configuration YAML file:
- vis_type_timelion.enabled: false
Note that there is no workaround available for Elastic Cloud users, and Elastic Cloud Serverless environments have already been patched prior to public disclosure.