PatchSiren cyber security CVE debrief
CVE-2026-42400 Elastic CVE debrief
A medium-severity uncontrolled resource consumption vulnerability in Kibana allows authenticated remote attackers to cause denial of service through excessive memory and CPU consumption. The vulnerability stems from processing of specially crafted compressed request payloads that occurs prior to authorization checks, enabling resource exhaustion attacks that can render Kibana instances unresponsive or cause crashes. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates network-accessible attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high availability impact with no confidentiality or integrity effects.
- Vendor
- Elastic
- Product
- Kibana
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating Kibana instances for log analytics, security monitoring, or business intelligence should prioritize patching. Security teams should assess exposure of Kibana endpoints to authenticated users and evaluate compensating controls for instances that cannot be immediately patched. Infrastructure teams responsible for Elasticsearch and Kibana deployments should monitor for this vulnerability in vulnerability management programs.
Technical summary
The vulnerability exists in Kibana's handling of compressed request payloads, where decompression and initial processing occur before complete authorization validation. An authenticated attacker can exploit this by sending a crafted compressed payload that expands to consume excessive memory and CPU resources during processing. The attack leverages the asymmetric nature of compression algorithms, where small malicious inputs can expand to disproportionately large sizes. Because processing begins before authorization checks complete, the resource consumption occurs regardless of whether the request would ultimately be permitted, enabling effective denial of service against the Kibana instance. The CVSS score of 6.5 reflects the medium severity with high availability impact but no confidentiality or integrity compromise.
Defensive priority
medium
Recommended defensive actions
- Apply security updates referenced in vendor advisory ESA-2026-35 to affected Kibana deployments
- Implement network-level rate limiting and request size restrictions for Kibana endpoints as compensating control
- Monitor Kibana instance resource utilization for anomalous memory or CPU consumption patterns
- Review authentication and authorization flow to ensure compressed payload processing occurs after credential validation where architecturally feasible
- Consider deploying Kibana behind reverse proxy with decompression and validation layers to filter malicious payloads
Evidence notes
Vulnerability disclosed via Elastic security advisory ESA-2026-35. CWE-400 (Uncontrolled Resource Consumption) classification confirmed by [email protected]. Affected versions and patch details available in vendor security update.
Official resources
-
CVE-2026-42400 CVE record
CVE.org
-
CVE-2026-42400 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28