Elasticsearch 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-27)

ikakavas · December 15, 2025, 10:14am

Elasticsearch Improper Authentication (ESA-2025-27)

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

Affected Versions:

7.x All versions
8.x: All versions from 8.0.0 up to and including 8.19.7
9.x
- All versions from 9.0.0 up to and including 9.1.7
- All versions from 9.2.0 up to and including 9.2.1

Affected Configurations:

This issue only affects the PKI realm of Elasticsearch.

Solutions and Mitigations:

Medium or High Severity with few customers impacted: The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2.

For Users that Cannot Upgrade:

There are no workarounds

Severity: CVSSv3.1: 6.8 (Medium) - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID: CVE-2025-37731

Topic		Replies	Views
Configure PKI authentication for Elasticsearch 7.7 Elasticsearch elastic-stack-security	13	1309	January 10, 2023
Unable to setup PKI Authentication Elasticsearch elastic-stack-security	6	521	September 25, 2020
Elasticsearch Authentication problem in python Elasticsearch	2	355	January 15, 2023
PKI Auth on Elasticsearch Service Elasticsearch	2	468	February 7, 2020
Elasticsearch 8.16.2 / 8.17.0 Security Update Security Announcements	0	3044	December 17, 2024