Home

Description

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

PUBLISHED Reserved 2025-12-19 | Published 2026-01-13 | Updated 2026-01-13 | Assigner elastic




MEDIUM: 6.5CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-129 Improper Validation of Array Index

Product status

Default status
unaffected

7.0.0 (semver)
affected

8.0.0 (semver)
affected

9.0.0 (semver)
affected

9.2.0 (semver)
affected

Credits

pkill-arjun reporter

References

discuss.elastic.co/...2-4-security-update-esa-2026-01/384519

cve.org (CVE-2026-0528)

nvd.nist.gov (CVE-2026-0528)

Download JSON