CVE-2026-0528

Summary

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

Affected Software

VendorProductVersion RangeStatus
ElasticMetricbeat7.0.0 <= 7.17.29affected
ElasticMetricbeat8.0.0 <= 8.19.9affected
ElasticMetricbeat9.0.0 <= 9.1.9affected
ElasticMetricbeat9.2.0 <= 9.2.3affected

Weaknesses

  • CWE-129: CWE-129 Improper Validation of Array Index

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References