With X-Pack installed, operations in the Advanced Settings panel of the Management tab and operations from the short URL service were performed as the "Kibana Server" user regardless of the user that is currently authenticated. As a result, a user that was defined as read-only could make changes to the global settings of Kibana. This could allow a rogue user to change Kibana configuration to alter Kibana’s appearance or Kibana’s default index.
5.0.2 ensures these operations are run as the currently authenticated user.
This is described as ESA-2016-10 on our security page.
As always, grab the latest release from our downloads page.