How serious is CVE-2026-26936?

This vulnerability has a CVSS score of 7.5 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-26936?

Yes, proof-of-concept exploit code for CVE-2026-26936 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-26936?

CVE-2026-26936 affects elastic kibana. Check the full CVE details for specific version information.

How do I fix CVE-2026-26936?

To remediate CVE-2026-26936, check for security patches from elastic. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-26936

High

|7.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to cause Kibana to crash or become unresponsive by sending specially crafted input that triggers excessive processing in the system's regular expressions. To exploit this, the attacker needs access to the AI Inference Anonymization Engine, which may be exposed through user inputs or API calls.

Technical Description

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,053($1K-$5K)

Vendor Response

Grade APatched in 3 days

Quick Information

Published

Feb 26, 2026

about 1 month ago

Last Modified

Mar 2, 2026

about 1 month ago

Vendor

elastic

Product

kibana

Related Vulnerabilities

CVE-2026-26938High

This vulnerability allows an attacker with specific permissions in Kibana to read any file on the server and potentially make unauthorized requests to other servers. To exploit this, the attacker must be an authenticated user with the ability to execute workflows.

CVE-2026-26937High

This vulnerability allows an attacker to overload the Kibana service, causing it to become unresponsive, effectively leading to a Denial of Service. It can be exploited by sending specially crafted input data to the Timelion component, which means that the attacker needs to have access to the Kibana interface to trigger the issue.

CVE-2026-26935High

This vulnerability allows an attacker to crash the Kibana service by sending specially crafted input to its search feature, which can overwhelm the system. To exploit this, the attacker needs access to the internal Content Connectors endpoint, making it critical to secure that part of the application.

CVE-2026-26934Medium

An attacker with view-only access to Kibana can exploit this vulnerability to send specially crafted data that overwhelms the system, causing it to crash or become unresponsive. This means that even users who are not fully authorized can disrupt the service by manipulating input data.