CVE-2026-26940
Received Received - Intake

Denial of Service via Improper Quantity Validation in Kibana Timelion

Vulnerability report for CVE-2026-26940, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: Elastic

Description

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-07-06
AI Q&A
2026-03-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
elastic kibana From 8.0.0 (inc) to 8.19.13 (exc)
elastic kibana From 9.0.0 (inc) to 9.2.7 (exc)
elastic kibana From 9.3.0 (inc) to 9.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-26940 is a vulnerability in the Timelion visualization plugin of Kibana that affects multiple versions. It occurs due to improper validation of a specified quantity in the input, allowing an authenticated user to submit a specially crafted Timelion expression.

This crafted expression overwrites internal series data properties with an excessively large quantity value, which causes excessive memory allocation.

As a result, the Node.js process running Kibana crashes due to memory exhaustion, leading to a Denial of Service (DoS).

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) condition by crashing the Kibana server process.

An attacker with authenticated access can exploit this issue to exhaust server memory, causing the Node.js process to fail and making the Kibana service unavailable.

This impacts the availability of the Kibana service, potentially disrupting business operations that rely on it.

  • No confidentiality or integrity impact has been reported.
  • The vulnerability requires low privileges and no user interaction to exploit.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring Kibana server logs for signs of memory exhaustion related to the Timelion plugin. Indicators of compromise include JavaScript heap out of memory errors or fatal allocation failures such as "FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed", which indicate Node.js process crashes due to excessive memory allocation.'}, {'type': 'paragraph', 'content': 'You can check Kibana logs for these errors using commands like:'}, {'type': 'list_item', 'content': "grep -i 'FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed' /path/to/kibana/logs/kibana.log"}, {'type': 'list_item', 'content': "grep -i 'JavaScript heap out of memory' /path/to/kibana/logs/kibana.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the Node.js process for unexpected crashes or high memory usage can help detect exploitation attempts.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Kibana to a fixed version where the vulnerability is resolved. Specifically, upgrade to versions 8.19.13, 9.2.7, or 9.3.2 or later.

If upgrading is not immediately possible and you are running a self-hosted deployment, you can disable the Timelion plugin by adding the following setting to your Kibana configuration YAML file:

  • vis_type_timelion.enabled: false

Note that there is no workaround available for Elastic Cloud users, and Elastic Cloud Serverless environments have already been patched prior to public disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart