Kibana 9.0.6, 9.1.3 Security Update (ESA-2025-13)

ismisepaul · August 28, 2025, 3:35pm

Kibana privilege escalation via reporting_user role (ESA-2025-13)

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.

Affected Versions:

Kibana versions 9.0.0 up to and including 9.0.5; and versions 9.1.0 up to and including 9.1.2

Affected Configurations:

This issue affects deployments which assign the built-in reporting_user role to end users. This role is not assigned to users by default.

The reporting_user role in affected versions incorrectly grants users the ability to access all Kibana Spaces, with the following privileges:

Read access to Discover, including the ability to generate reports.
Read access to Dashboards, including the ability to generate reports.
Read access to the Visualization Library, including the ability to generate reports.
Read access to Canvas, including the ability to generate reports.

The reporting_user role in versions prior to 9.0 did not grant access to any Kibana Spaces; it only granted reporting functionality within the Spaces users were already authorized to access.

Important: This vulnerability does not violate configured index privileges. Users with the reporting_user role assigned will not have access to any additional user documents or indices. They will be able to access the aforementioned Kibana assets, but not the data within, unless their existing index privileges would otherwise grant access.

Solutions and Mitigations:

The issue is resolved in version 9.0.6 and 9.1.3.

Any API Keys created by users with the reporting_user role in the affected versions will continue to have elevated privileges. Ensure these API Keys are invalidated to prevent unauthorized access to additional Spaces.

For Users that Cannot Upgrade:

Administrators should revoke the reporting_user role from their end users, and instead grant access to reporting functionality via custom roles which grant the appropriate access to reporting.

Severity: CVSSv3.1: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID: CVE-2025-25010

Topic		Replies	Views
Migration to V8: kibana reporting-user depreciated Elasticsearch	0	39	May 13, 2025
CSV export - Please use Kibana feature privileges instead Kibana elastic-stack-security	1	879	March 16, 2023
Unable to view Reporting section in Kibana Privileges Kibana elastic-stack-reporting	4	1160	November 26, 2021
What role do I enable for kibana dashboard CSV download? Kibana elastic-stack-security	8	3059	November 25, 2021
X-pack kibana_user role conflicting with spaces permissions Kibana elastic-stack-security , elastic-stack-reporting	5	600	January 3, 2019

Kibana 9.0.6, 9.1.3 Security Update (ESA-2025-13)

Related topics