Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)

ismisepaul · December 18, 2025, 9:28pm

Kibana Improper Authorization (ESA-2025-38)

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

Affected Versions:

7.x: All versions
8.x: All versions from 8.0.0 up to and including 8.19.7
9.x:
- All versions from 9.0.0 up to and including 9.1.7
- All versions from 9.2.0 up to and including 9.2.1

Solutions and Mitigations:

The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2.

Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID: CVE-2025-68386

Topic	Replies	Views
Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-39) Security Announcements	96	December 18, 2025
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36) Security Announcements	75	December 18, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20) Security Announcements	4070	October 6, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17) Security Announcements	2090	October 6, 2025
Kibana 8.17.3 / 8.16.6 Security Update (ESA-2025-06) Security Announcements	17054	March 5, 2025

Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)

Related topics