I have enabled security in elasticsearch and kibana.
I have created a user with only the built-in kibana_user role assigned to it.
It seems this user can create other users and assign whatever role he wants to them, also edit its own user roles like for example add the superuser role... this can't be normal?
Elasticsearch version 6.8.1
Kibana runs on one of the master nodes