{"id":"GHSA-w2gr-585j-r428","summary":"Metricbeat affected by multiple denial of service vulnerabilities","details":"Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.","aliases":["CVE-2026-0528"],"modified":"2026-02-04T02:56:59.365309Z","published":"2026-01-13T21:31:46Z","related":["CGA-cf6x-5qcj-8h59"],"database_specific":{"cwe_ids":["CWE-129"],"github_reviewed":true,"severity":"MODERATE","nvd_published_at":"2026-01-13T21:15:50Z","github_reviewed_at":"2026-01-22T22:32:15Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0528"},{"type":"WEB","url":"https://github.com/elastic/beats/commit/0025fbfe668936eb8fa65b838508faf3c3c04387"},{"type":"WEB","url":"https://github.com/elastic/beats/commit/6e42552a23cec734e7977ebd3eb7fb797ddce456"},{"type":"WEB","url":"https://github.com/elastic/beats/commit/c7664c91a5a68c2df782bfeffe4fb7f42ff2ad1a"},{"type":"WEB","url":"https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519"},{"type":"PACKAGE","url":"https://github.com/elastic/beats"}],"affected":[{"package":{"name":"github.com/elastic/beats/v7","ecosystem":"Go","purl":"pkg:golang/github.com/elastic/beats/v7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"7.0.0-alpha2.0.20251217054608-6e42552a23ce"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w2gr-585j-r428/GHSA-w2gr-585j-r428.json"}},{"package":{"name":"github.com/elastic/beats/v7","ecosystem":"Go","purl":"pkg:golang/github.com/elastic/beats/v7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"8.0.0"},{"fixed":"8.19.10"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w2gr-585j-r428/GHSA-w2gr-585j-r428.json"}},{"package":{"name":"github.com/elastic/beats/v7","ecosystem":"Go","purl":"pkg:golang/github.com/elastic/beats/v7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.0.0"},{"fixed":"9.1.10"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w2gr-585j-r428/GHSA-w2gr-585j-r428.json"}},{"package":{"name":"github.com/elastic/beats/v7","ecosystem":"Go","purl":"pkg:golang/github.com/elastic/beats/v7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.2.0"},{"fixed":"9.2.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-w2gr-585j-r428/GHSA-w2gr-585j-r428.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}