{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T11:47:50.584","vulnerabilities":[{"cve":{"id":"CVE-2026-0531","sourceIdentifier":"security@elastic.co","published":"2026-01-13T21:15:50.990","lastModified":"2026-01-22T19:59:54.277","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users."},{"lang":"es","value":"Asignación de Recursos Sin Límites o Limitación (CWE-770) en Kibana Fleet puede conducir a una Asignación Excesiva (CAPEC-130) a través de una solicitud de recuperación masiva especialmente diseñada. Esto requiere que un atacante tenga privilegios de bajo nivel equivalentes al rol de visor, que otorga acceso de lectura a las políticas de agente. La solicitud diseñada puede hacer que la aplicación realice operaciones redundantes de recuperación de base de datos que consumen memoria inmediatamente hasta que el servidor se bloquea y deja de estar disponible para todos los usuarios."}],"metrics":{"cvssMetricV31":[{"source":"security@elastic.co","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@elastic.co","type":"Secondary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","versionStartIncluding":"7.10.0","versionEndExcluding":"7.17.29","matchCriteriaId":"1863989E-58AD-4481-B872-DF5AC637F854"},{"vulnerable":true,"criteria":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.19.10","matchCriteriaId":"8707CF69-9922-490B-B64F-38F2D31E2CA1"},{"vulnerable":true,"criteria":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.1.10","matchCriteriaId":"FC3281ED-A331-43DC-9705-80A3FA3E6C75"},{"vulnerable":true,"criteria":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","versionStartIncluding":"9.2.0","versionEndExcluding":"9.2.4","matchCriteriaId":"8BF9D6AE-B07F-4516-A684-60B02BF731A0"}]}]}],"references":[{"url":"https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522","source":"security@elastic.co","tags":["Vendor Advisory"]}]}}]}