CVE-2026-26940

Summary

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

Affected Software

VendorProductVersion RangeStatus
ElasticKibana9.3.0 <= 9.3.1affected
ElasticKibana9.0.0 <= 9.2.6affected
ElasticKibana8.0.0 <= 8.19.12affected

Weaknesses

  • CWE-1284: CWE-1284 Improper Validation of Specified Quantity in Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References