CVE-2026-0530
📋 TL;DR
This vulnerability in Kibana Fleet allows attackers to send specially crafted requests that cause excessive resource allocation, leading to service degradation or complete unavailability through resource exhaustion. It affects Kibana instances with Fleet enabled, particularly those exposed to untrusted networks.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for Kibana and potentially dependent Elasticsearch services, causing extended downtime and data unavailability.
Likely Case
Service degradation with increased response times, failed requests, and potential partial outages affecting Kibana Fleet operations.
If Mitigated
Minimal impact with proper rate limiting, network segmentation, and resource monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to Kibana Fleet endpoints. No authentication required based on CWE-770 nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.19.11, 9.1.11, 9.2.5 or later
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521
Restart Required: Yes
Instructions:
1. Download the patched Kibana version from Elastic's official repository. 2. Backup your Kibana configuration and data. 3. Stop the Kibana service. 4. Install the updated version. 5. Restart the Kibana service. 6. Verify the service is running correctly.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure rate limiting on Kibana Fleet endpoints to prevent excessive requests
# Configure via Kibana.yml or reverse proxy like nginx
# Example nginx rate limiting:
limit_req_zone $binary_remote_addr zone=kibana:10m rate=10r/s;
location /api/fleet/ {
limit_req zone=kibana burst=20 nodelay;
}
Disable Fleet Feature
allTemporarily disable Kibana Fleet if not required
# In kibana.yml add:
xpack.fleet.enabled: false
# Then restart Kibana
🧯 If You Can't Patch
- Implement strict network access controls to limit Kibana Fleet endpoints to trusted sources only
- Deploy resource monitoring and alerting for Kibana processes to detect abnormal resource consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Kibana version and verify if Fleet is enabled. Vulnerable if version is 8.19.10, 9.1.10, 9.2.4 or earlier with Fleet enabled.Check Version:
curl -X GET "localhost:5601/api/status" | grep -o '"number":"[^"]*"'Verify Fix Applied:
Verify Kibana version is 8.19.11, 9.1.11, 9.2.5 or later and test Fleet functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusually high number of requests to /api/fleet/ endpoints
- Kibana process consuming excessive CPU/memory
- Error logs indicating resource exhaustion or timeouts
Network Indicators:
- High volume of requests to Kibana Fleet API endpoints from single or few sources
- Abnormal request patterns to Fleet endpoints
SIEM Query:
source="kibana.log" AND ("api/fleet" OR "fleet") AND ("timeout" OR "memory" OR "cpu" OR "resource") | stats count by src_ip