Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)

Elasticsearch Insertion of sensitive information in log file (ESA-2025-18)

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API

Affected Versions:

  • 7.x: All versions from 7.0.0 and up to and including 7.17.29
  • 8.x: All versions from 8.0.0 and up to and including 8.18.7
  • 8.19.x: All versions from 8.19.0 and up to and including 8.19.4
  • 9.0.x: All versions from 9.0.0 and up to and including 9.0.7
  • 9.1.x: All versions from 9.1.0 and up to and including 9.1.4

Affected Configurations:

This affects deployments where all the below are true:

  • Audit logging is enabled ( xpack.security.audit.enabled: true )

  • Audit logging is configured to contain authentication_success events ( xpack.security.audit.logfile.events.include includes authentication_success )

  • Audit logging is explicitly configured to capture request bodies ( xpack.security.audit.logfile.events.emit_request_body: true ). The default value is false.

Solutions and Mitigations:

The issue is resolved in version 8.18.8, 8.19.5, 9.0.8, 9.1.5.

For Users that Cannot Upgrade:

If the affected configuration is in use:

Self-hosted

Users can set xpack.security.audit.logfile.events.emit_request_body to false

Cloud

Users can set xpack.security.audit.logfile.events.emit_request_body to false

Severity: CVSSv3.1: Medium(5.3) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID: CVE-2025-37727