CVE-2025-25010
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-10-01

Assigner: Elastic

Description
Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_userΒ role which incorrectly has the ability to access all Kibana Spaces.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-10-01
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-25010
EUVD
EUVD-2025-26116
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elastic kibana From 9.0.0 (inc) to 9.0.6 (exc)
elastic kibana From 9.1.0 (inc) to 9.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-25010 is a privilege escalation vulnerability in Kibana versions 9.0.0 through 9.0.5 and 9.1.0 through 9.1.2. It involves the built-in reporting_user role, which incorrectly grants users read access to all Kibana Spaces, allowing them to generate reports and access assets like Discover, Dashboards, Visualization Library, and Canvas across all Spaces. Previously, this role only allowed reporting within Spaces the user was authorized to access. The vulnerability does not grant access to additional user documents or indices beyond existing index privileges. [1]

Impact Analysis

This vulnerability can allow users assigned the reporting_user role to escalate their privileges by accessing and generating reports across all Kibana Spaces, even those they should not have access to. This could lead to unauthorized disclosure of sensitive information contained in dashboards and visualizations. Although it does not allow access to additional index data beyond existing permissions, the exposure of reporting data across all Spaces can pose a significant risk. API keys created by affected users also retain these elevated privileges, increasing the risk if not invalidated. [1]

Detection Guidance

You can detect this vulnerability by checking if any users or API keys have the built-in reporting_user role assigned in Kibana versions 9.0.0 through 9.0.5 and 9.1.0 through 9.1.2. Since the vulnerability involves privilege escalation via this role, auditing role assignments is key. Use Kibana's API or management UI to list users and their roles. For example, use the Kibana API to list users and their roles: `GET /api/security/user` and check for the reporting_user role assignments. Also, review API keys created by users with the reporting_user role, as these retain elevated privileges and should be invalidated. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Kibana to version 9.0.6 or 9.1.3 or later, where the vulnerability is fixed. If upgrading is not possible immediately, revoke the reporting_user role from all end users and API keys, as it is not assigned by default and only assigned in some deployments. Instead, create custom roles that grant appropriate reporting access without the privilege escalation risk. Additionally, invalidate any API keys created by users with the reporting_user role in affected versions to remove elevated privileges. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-25010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart