CVE-2026-0528

Aliases:GHSA-w2gr-585j-r428GO-2026-4360
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 13 Jan 2026, 21:02
Last modified:13 Jan 2026, 21:25

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.11% LOW
0% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Jan 2026, 21:02
Published
Vulnerability first disclosed
13 Jan 2026, 21:25
Last Modified
Vulnerability information updated

Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.11% Percentile: 28%

Techniques & Countermeasures

  • CWE-129Improper Validation of Array Index

    The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Affected Systems

  • UnknownKibana

    ≥ 7.0.0, < 7.17.29 | ≥ 8.0.0, < 8.19.10 | ≥ 9.0.0, < 9.1.10 | ≥ 9.2.0, < 9.2.4

  • elasticmetricbeat

    ≥ 7.0.0, ≤ 7.17.29 | ≥ 8.0.0, ≤ 8.19.9 | ≥ 9.0.0, ≤ 9.1.9 | ≥ 9.2.0, ≤ 9.2.3

  • github.com/elasticbeats

    all

  • github.com/elastic/beatsv7

    < 7.0.0-alpha2.0.20251217054608-6e42552a23ce | ≥ 8.0.0, < 8.19.10 | ≥ 9.0.0, < 9.1.10 | ≥ 9.2.0, < 9.2.4

References (7)