CVE-2025-68422

Published: Dec 18, 2025Modified: Dec 23, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security@elastic.co (Secondary)

Description

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.

Affected (4)

Products: Elastic: Kibana

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	From 7.0.0 to 7.17.29
Elastic Kibana	From 8.0.0 to 8.19.7
Elastic Kibana	From 9.0.0 to 9.1.7
Elastic Kibana	Version 9.2.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187

Source: security@elastic.co

Vendor Advisory

Timeline

No history available yet.