CVE-2026-0528 – This CVE describes two denial-of-service vulner... (How to Fix)

Q: What is the severity of CVE-2026-0528?

CVE-2026-0528 has a CVSS score of 6.5 (MEDIUM). This CVE describes two denial-of-service vulnerabilities in Metricbeat where specially crafted payloads sent to Graphite or Zookeeper metricsets, or malformed metric data sent to the Prometheus helper module, can cause the service to crash. Users running vulnerable versions of Metricbeat with these metricsets enabled are affected.

📋 TL;DR

This CVE describes two denial-of-service vulnerabilities in Metricbeat where specially crafted payloads sent to Graphite or Zookeeper metricsets, or malformed metric data sent to the Prometheus helper module, can cause the service to crash. Users running vulnerable versions of Metricbeat with these metricsets enabled are affected.

💻 Affected Systems

Products:

Elastic Metricbeat

Versions: Versions prior to 8.19.10, 9.1.10, 9.2.4

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Graphite server metricset, Zookeeper server metricset, or Prometheus helper module are enabled and receiving external input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where Metricbeat crashes and stops collecting metrics, potentially affecting monitoring capabilities across infrastructure.

🟠

Likely Case

Intermittent Metricbeat crashes requiring manual restart, causing gaps in metric collection and monitoring visibility.

🟢

If Mitigated

Minimal impact with proper network controls and input validation in place, potentially causing temporary service disruption.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending specially crafted payloads to exposed metricsets, but many deployments keep these internal.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit these vulnerabilities to disrupt monitoring.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted payloads to vulnerable endpoints, which is relatively straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.19.10, 9.1.10, or 9.2.4

Vendor Advisory: https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519

Restart Required: Yes

Instructions:

1. Download the patched version from Elastic's official repository. 2. Stop the Metricbeat service. 3. Install the updated version. 4. Restart the Metricbeat service. 5. Verify the service is running correctly.

🔧 Temporary Workarounds

Disable vulnerable metricsets

all

Temporarily disable Graphite server, Zookeeper server metricsets, and Prometheus helper module if not required.

Edit metricbeat.yml and comment out or remove the affected modules

Network isolation

linux

Restrict network access to Metricbeat endpoints using firewall rules.

iptables -A INPUT -p tcp --dport [metricbeat_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [metricbeat_port] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can send data to Metricbeat endpoints
Monitor Metricbeat process health and implement automatic restart mechanisms for crashes

🔍 How to Verify

Check if Vulnerable:

Check Metricbeat version with: metricbeat version

Check Version:

metricbeat version

Verify Fix Applied:

Verify version is 8.19.10, 9.1.10, or 9.2.4 or higher with: metricbeat version

📡 Detection & Monitoring

Log Indicators:

Metricbeat crash logs
Unexpected process termination
Error messages related to array bounds or input validation

Network Indicators:

Unusual traffic patterns to Metricbeat ports
Large or malformed payloads sent to metric endpoints

SIEM Query:

process.name:"metricbeat" AND (event.action:"crashed" OR log.level:"error")

📊 Metadata

CVE ID: CVE-2026-0528

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-129

EPSS Score: 0.05% exploit probability (15.7th percentile)

Published: January 13, 2026

Last Updated: January 22, 2026

🔗 References

https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0528, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Kibana by Elastic

Kibana by Elastic

Kibana by Elastic

Kibana by Elastic

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable metricsets

Network isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities