CVE-2026-33464
Received Received - Intake
Uncontrolled Resource Consumption in Kibana via Excessive Allocation

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Elastic

Description
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-29
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-33464
EUVD
EUVD-2026-33010
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana to 8.19.16 (exc)
elastic kibana to 9.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33464 is a vulnerability in Kibana that allows an authenticated user with a low-privileged role to cause a denial of service. This is done by submitting a specially crafted, oversized payload to an internal Kibana API, which leads to uncontrolled resource consumption. As a result, the Kibana process exhausts available system resources and becomes unresponsive to all users until it recovers or is restarted.


How can this vulnerability impact me? :

The vulnerability can cause a denial of service in Kibana, making the service unresponsive to all users. This happens because the system resources are exhausted by the oversized payload submitted by an authenticated low-privileged user. The impact is that Kibana will stop functioning properly until it is either restarted or recovers on its own, potentially disrupting operations that depend on Kibana.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Kibana to a patched version. The vulnerability is fixed in Kibana versions 8.19.16, 9.3.5, and 9.4.1.

  • Upgrade Kibana to version 8.19.16 or later if you are using the 8.x series.
  • Upgrade Kibana to version 9.3.5 or later if you are using the 9.x series.
  • Restrict authenticated access to trusted users only, especially those with at least the Viewer role, to reduce risk until the upgrade is applied.

Note that Elastic Cloud Serverless deployments are not affected due to their continuous deployment and patching model.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart