CVE-2025-25010Incorrect Authorization in Kibana

CWE-863Incorrect AuthorizationCWE-125Out-of-bounds Read5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 86.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedAug 28

Description

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDelastic/kibana9.0.09.0.6+1
CVEListV5elastic/kibana9.0.09.0.5+1

Patches

Patch: discuss.elastic.co

🔴Vulnerability Details

2
GHSA
GHSA-5567-c6hm-cgjh: Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access al2025-08-28
CVEList
Kibana privilege escalation via reporting_user role2025-08-28

📋Vendor Advisories

2
Red Hat
kibana: Kibana privilege escalation2025-08-28
Microsoft
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().2021-05-11
CVE-2025-25010 — Incorrect Authorization in Elastic | cvebase