Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-39)

ismisepaul · December 18, 2025, 9:28pm

Kibana Improper Authorization (ESA-2025-39)

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the 'live queries - read' permission to successfully retrieve the list of live queries.

Affected Versions:

7.x: All versions
8.x: All versions from 8.0.0 up to and including 8.19.6
9.x:
- All versions from 9.0.0 up to and including 9.1.6
- Version 9.2.0

Solutions and Mitigations:

The issue is resolved in version 8.19.7, 9.1.7, and 9.2.1.

Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2025-68422

Topic	Replies	Views
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38) Security Announcements	81	December 18, 2025
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36) Security Announcements	75	December 18, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20) Security Announcements	4070	October 6, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17) Security Announcements	2090	October 6, 2025
Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-24) Security Announcements	1979	November 12, 2025

Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-39)

Related topics