Kibana 8.x < 8.19.16 DoS (ESA-2026-39)

🗓️ 04 Jun 2026 00:00:00Reported by TenableType

Kibana before 8.19.16 allows DoS via oversized input to analytics collections endpoint by authenticated viewers.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2026-49094	29 May 202614:45	–	circl
CNNVD	Elastic Kibana 安全漏洞	28 May 202600:00	–	cnnvd
CVE	CVE-2026-49094	28 May 202619:49	–	cve
Cvelist	CVE-2026-49094 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	28 May 202619:49	–	cvelist
Elastic	Kibana 8.19.16 Security Update (ESA-2026-39)	28 May 202619:26	–	elastic
EUVD	EUVD-2026-33034	28 May 202619:49	–	euvd
NVD	CVE-2026-49094	28 May 202621:16	–	nvd
OSV	BIT-ELK-2026-49094 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	1 Jun 202611:39	–	osv
OSV	BIT-KIBANA-2026-49094 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	1 Jun 202611:42	–	osv
OSV	MINI-6VPV-RM6G-95F3	30 May 202615:41	–	osv

Source	Link
nessus	www.nessus.org/u
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(318725);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");

  script_cve_id("CVE-2026-49094");
  script_xref(name:"IAVB", value:"2026-B-0141");
  script_xref(name:"IAVB", value:"2026-B-0142");

  script_name(english:"Kibana 8.x < 8.19.16 DoS (ESA-2026-39)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Kibana installed on the remote host is 8.x prior to 8.19.16. It is, therefore, affected by a
vulnerability as referenced in the ESA-2026-39 advisory.

  - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive
    Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an
    oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU
    and memory resources while processing the request. This results in Kibana becoming unavailable to all
    users until the service is manually recovered. (CVE-2026-49094)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561/1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0b3e0800");
  script_set_attribute(attribute:"solution", value:
"Update to Kibana version 8.19.16 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-49094");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:elasticsearch:kibana");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("kibana_web_detect.nbin");
  script_require_keys("installed_sw/Kibana");
  script_require_ports("Services/www", 5601);

  exit(0);
}

include('http.inc');
include('vcf.inc');

var app = 'Kibana';

get_install_count(app_name:app, exit_if_zero:TRUE);

var port = get_http_port(default:5601);

var app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);

var constraints = [
  { 'min_version' : '8.0.0', 'fixed_version' : '8.19.16' }
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);

08 Jun 2026 00:00Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.16.5

EPSS0.00047

SSVC