Description
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- low
- User Action
- none
- Scope
- unchanged
- Confidentiality
- none
- Integrity
- none
- Availability
- high
- Weaknesses
- CWE-20CWE-770
Metadata
- Primary Vendor
- ELASTIC
- Published
- 1/13/2026
- Last Modified
- 1/22/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
elastic : kibanaelastic : kibanaelastic : kibanaelastic : kibana
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.