CVE-2025-68386

Published: Dec 18, 2025Modified: Dec 23, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security@elastic.co (Secondary)

Description

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

Affected (4)

Products: Elastic: Kibana

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	From 7.0.0 to 7.17.29
Elastic Kibana	From 8.0.0 to 8.19.8
Elastic Kibana	From 9.0.0 to 9.1.8
Elastic Kibana	From 9.2.0 to 9.2.2

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186

Source: security@elastic.co

Vendor Advisory

Timeline

No history available yet.