Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
{
"cna_assigner": "elastic",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26936.json",
"cwe_ids": [
"CWE-1333"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "9.0.0"
},
{
"last_affected": "9.2.4"
},
{
"introduced": "8.0.0"
},
{
"last_affected": "8.19.10"
}
]
}
]
}"2026-07-15T19:06:41Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26936.json"
[
{
"target": {
"file": "x-pack/qa/smoke-test-plugins/src/yamlRestTest/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java"
},
"deprecated": false,
"source": "https://github.com/elastic/elasticsearch/commit/c5253e1bcb0268a5dafed9dee18e16fd3144d7d6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"67958334585825714849455926389824173504",
"49769434037812949664189021955097285593",
"107611419671639204768516196227487681074",
"48312006114770059720746865713989822929",
"248958784273211857044989620787872488517",
"75802550358090574096053905707144603959",
"21560704965187282733380529487578996276",
"8326220523718658525643826498535441288",
"213342091194022385860304242610174038525",
"315819863610486750302894041420463677234",
"148630765578338457959192664825300294092",
"167479143163991302743966239210217273901",
"190946360178340220594583878190102844445"
]
},
"id": "CVE-2026-26936-138534e9",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/RestrictedBuildApiService.java",
"function": "createLegacyRestTestBasePluginUsage"
},
"deprecated": false,
"source": "https://github.com/elastic/elasticsearch/commit/c5253e1bcb0268a5dafed9dee18e16fd3144d7d6",
"digest": {
"function_hash": "155620418688305992948385524838569426919",
"length": 4740.0
},
"id": "CVE-2026-26936-34ba32cc",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"file": "qa/packaging/src/test/java/org/elasticsearch/packaging/test/DebPreservationTests.java"
},
"deprecated": false,
"source": "https://github.com/elastic/elasticsearch/commit/c26a2652b4f4e323c18bdb4f56f0038c8aece886",
"digest": {
"threshold": 0.9,
"line_hashes": [
"104341741720985942956856196937647807500",
"271151612312193955454724471074202598864",
"165377307239638983758185782901512973983"
]
},
"id": "CVE-2026-26936-49f06dd7",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/RestrictedBuildApiService.java"
},
"deprecated": false,
"source": "https://github.com/elastic/elasticsearch/commit/c5253e1bcb0268a5dafed9dee18e16fd3144d7d6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"78637196553999327818313358661597015893",
"260357489921711909644179055701012144494",
"168171097652227989481226126387620450914",
"276019913365898672716067232276777300496",
"39902617813431869600351512456501808243",
"129731127940613826295029063901046874891",
"241800218635807528117255849270828382938",
"195098916670087081962653811752912119348",
"142290314229480930363705806533655642610",
"89148120390549035649496953382118294449",
"14714953909408205505242916320820244884",
"174751036001569857786587416259331727361",
"185746039614020417623603381703876744468",
"22934068466036208257905390040540738054"
]
},
"id": "CVE-2026-26936-8bac0d2b",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "qa/packaging/src/test/java/org/elasticsearch/packaging/test/DebPreservationTests.java",
"function": "test40RestartOnUpgrade"
},
"deprecated": false,
"source": "https://github.com/elastic/elasticsearch/commit/c26a2652b4f4e323c18bdb4f56f0038c8aece886",
"digest": {
"function_hash": "141232404052381431885839358425350982043",
"length": 369.0
},
"id": "CVE-2026-26936-d758fb5b",
"signature_type": "Function",
"signature_version": "v1"
}
]