CVE-2026-0531

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

References

https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522

Affected packages

Git / github.com/elastic/kibana

Affected ranges

Type

GIT

Repo

https://github.com/elastic/kibana

Events

Introduced

1796b5ec8fa1e60ccea63f2e5c25ccc665b92fdc

Fixed

f6e2f2e44cc0a6a11435f1b6350f735e23bef4b4

Introduced

57ca5e139a33dd2eed927ce98d8231a1f217cd15

Fixed

6803805478ed373f560b161907994536f4cafef7

Introduced

504d6bfa94cca17fabb76e06152c30c4f0c3efdd

Fixed

3c5e7066866006c39ba40861ab0c05b6406ed357

Introduced

68626ce831ffb8e4138bb24ba8762a15a569a41c

Fixed

b05a85503d4590280c7e9263175269a5f4a09729

Database specific

{
    "versions": [
        {
            "introduced": "7.10.0"
        },
        {
            "fixed": "7.17.29"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.19.10"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.1.10"
        },
        {
            "introduced": "9.2.0"
        },
        {
            "fixed": "9.2.4"
        }
    ]
}

Affected versions

v9.*

v9.2.0

v9.2.1

v9.2.2

v9.2.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0531.json"