{"id":"CVE-2026-33464","summary":"Uncontrolled Resource Consumption in Kibana Leading to Denial of Service","details":"Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.","aliases":["BIT-elk-2026-33464","BIT-kibana-2026-33464"],"modified":"2026-06-26T04:09:55.416282860Z","published":"2026-05-28T19:35:31.655Z","database_specific":{"cwe_ids":["CWE-400"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"last_affected":"9.4.0"},{"introduced":"9.0.0"},{"last_affected":"9.3.4"},{"introduced":"8.0.0"},{"last_affected":"8.19.15"}]}],"cna_assigner":"elastic","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33464.json"},"references":[{"type":"WEB","url":"https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-1-security-update-esa-2026-32/386548"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33464.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33464"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"0ecfe314ed6ddebb736091bf37b3b6758209b73b"},{"introduced":"112859b85d50de2a7e63f73c8fc70b99eea24291"},{"fixed":"7dcc32bebba091844c0207f9dae8fda6c7d08542"},{"introduced":"0"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:9.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.19.16"},{"introduced":"9.0.0"},{"fixed":"9.3.5"},{"introduced":"0"},{"last_affected":"9.4.0"}]}}],"versions":["v8.19.15","v9.3.4","v8.19.14","v9.3.3","v8.19.13","v9.3.2","v9.3.1","v8.19.12","v9.3.0","v8.19.11","v8.19.10","v8.19.9","v8.19.8","v8.19.7","v8.19.6","v8.19.5","v8.19.4","v8.19.3","v8.19.2","v8.19.1","v8.19.0","v8.0.0-alpha2","v8.0.0-alpha1","v7.0.0-alpha2","v7.0.0-alpha1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33464.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"209c12d77d1bf1bc561abff2b91aa95f354734a3"},{"introduced":"504d6bfa94cca17fabb76e06152c30c4f0c3efdd"},{"fixed":"db396449a69d0613b0b4dc8b8e9789aa35504e0f"},{"introduced":"0"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","cpe:2.3:a:elastic:kibana:9.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.19.16"},{"introduced":"9.0.0"},{"fixed":"9.3.5"},{"introduced":"0"},{"last_affected":"9.4.0"}]}}],"versions":["v9.3.4","v8.19.15","v8.19.14","v9.3.3","v9.3.2","v8.19.13","v8.19.12","v9.3.1","v9.3.0","v8.19.11","v8.19.10","v8.19.9","deploy@1765779173","deploy@1765174614","deploy@1764659574","v8.19.8","deploy@1763964909","deploy@1763360043","deploy@1762755325","v8.19.7","deploy@1762150324","deploy@1761545598","v8.19.6","deploy@1760335957","v8.19.5","deploy@1759731406","deploy@1759126366","deploy@1758521525","v8.19.4","deploy@1757916930","deploy@1757311879","deploy@1756707119","deploy@1756102496","v8.19.3","deploy@1755497723","deploy@1754931892","v8.19.2","v8.19.1","deploy@1754288252","deploy@1753683246","v8.19.0","deploy@1753078461","deploy@1752473612","deploy@1751868905","deploy@1751277018","deploy@1751264043","deploy@1750659199","deploy@1750054502","deploy@1749449628","deploy@1748942782","deploy@1748844884","deploy@1748239962","deploy@1747635089","deploy@1747030444","deploy@1746425571","deploy@1745820726","deploy@1745272860","deploy@1744611164","deploy@1744006300","deploy@1743401509","deploy@1742796690","deploy@1742191921","deploy@1741587091","deploy@1740982600","deploy@1740377517","deploy@1739772912","deploy@1739168190","deploy@1738563299","deploy@1737958429","deploy@1737353792","deploy@1736748791","deploy@1736144018","deploy@1735539127","deploy@1734934371","deploy@1734329529","deploy@1733724770","deploy@1733120035","deploy@1732515196","deploy@1731910526","deploy@1731305644","deploy@1730700921","deploy@1730095989","deploy@1729491328","deploy@1728886420","deploy@1728281754","deploy@1727676838","deploy@1727071987","deploy@1726473511","deploy@1725862301","deploy@1725257503","deploy@1724652827","deploy@1724047965","deploy@1723443177","deploy@1722838314","deploy@1722233551","deploy@1721628835","deploy@1721023892","deploy@1720419201","deploy@1719814351","deploy@1719209622","deploy@1718616070","deploy@1718000036","deploy@1717401777","deploy@1717395230","deploy@1716800745","deploy@1716790412","deploy@1716185667","deploy@1715580861","deploy@1714976069","deploy@1714371303","deploy@1713766425","deploy@1713161715","deploy@1712566963","deploy@1711952105","deploy@1711370131","deploy@1710741924","deploy@1710146776","deploy@1710137117","deploy@1709533819","deploy@1709532332","deploy@1708927574","deploy@1708322739","deploy@1707717945","deploy@1707113127","deploy@1706508321","deploy@1705903520","deploy@1705306975","deploy@1705298718","deploy@1704693922","deploy@1704089101","deploy@1703484304","deploy@1702903357","deploy@1702879551","deploy@1702367069","deploy@1702284899","deploy@1701687168","deploy@1701160888","deploy@1700491293","deploy@1699865290","deploy@1699260155","deploy@1698657637","deploy@1698046713","deploy@1697564183","deploy@1697232175","test-depl-20231025084603","test-depl-20231013154558","deploy@1697028216","deploy@1696873111","deploy@1696618725","deploy@1696508231","deploy@1696415195","deploy@1696328885","deploy@1695286747","deploy@1694683198","deploy@1694506029","deploy@1694162455","deploy@1694087994","deploy@1693866333","deploy@1693860790","deploy@1693853982","deploy@1693609987","deploy@1693594780","v8.0.0-alpha2","v8.0.0-alpha1","v7.0.0-alpha1","7.0-known-good","v6.0.0-alpha2","v6.0.0-alpha1","v5.0.0-alpha5","v4.2.0-beta1","v4.0.0-beta3","v4.0.0-beta2","v4.0.0-beta1.1","v4.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33464.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}