CVE-2026-49087
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
CWE-770 vulnerability in Kibana allows a denial of service via excessive resource allocation. An authenticated attacker can send a crafted bulk deletion request, exhausting resources and making Kibana unavailable.
Risk Assessment
This attack can cause temporary Kibana unavailability, disrupting monitoring and data analysis, potentially crippling security and operational workflows.
Recommendation
Immediately update Kibana to a patched version and implement rate limiting for bulk deletion operations.
Original NVD description (English source)
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.

