CVE-2026-0528
MEDIUM6.5EPSS 0.11%Metricbeat affected by multiple denial of service vulnerabilities
Published: 1/13/2026Modified: 3/23/2026
Description
Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.
Affected packages (3)
- Go/github.com/elastic/beatsfrom 0
- Go/github.com/elastic/beats/v7from 0, < 7.0.0-alpha2.0.20251217054608-6e42552a23ce
- Go/github.com/elastic/beats/v7from 0, < 7.0.0-alpha2.0.20251217054608-6e42552a23ce
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-w2gr-585j-r428
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-0528
- PATCHhttps://github.com/elastic/beats
- WEBhttps://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519
- WEBhttps://github.com/elastic/beats/commit/0025fbfe668936eb8fa65b838508faf3c3c04387
- WEBhttps://github.com/elastic/beats/commit/6e42552a23cec734e7977ebd3eb7fb797ddce456
- WEBhttps://github.com/elastic/beats/commit/c7664c91a5a68c2df782bfeffe4fb7f42ff2ad1a