CVE-2026-0543

Summary

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.

Affected Software

VendorProductVersion RangeStatus
ElasticKibana8.0.0 <= 8.19.9affected
ElasticKibana7.0.0 <= 7.17.29affected
ElasticKibana9.0.0 <= 9.1.9affected
ElasticKibana9.2.0 <= 9.2.3affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References