Login Sign Up

CVE-2025-68386

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated Kibana users to escalate privileges by changing document sharing settings to 'global', making documents visible to all users in a space. It affects Kibana instances with authenticated users who have document access but not global sharing permissions. The impact is unauthorized data exposure within shared spaces.

💻 Affected Systems

Products:
  • Kibana
Versions: 8.19.x before 8.19.8, 9.1.x before 9.1.8, 9.2.x before 9.2.2
Operating Systems: All platforms running affected Kibana versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to Kibana with document permissions

📦 What is this software?

Kibana by Elastic

View all CVEs affecting Kibana →

Kibana by Elastic

View all CVEs affecting Kibana →

Kibana by Elastic

View all CVEs affecting Kibana →

Kibana by Elastic

View all CVEs affecting Kibana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive documents intended for limited audiences become globally visible within a space, potentially exposing confidential data to unauthorized users.

🟠

Likely Case

Unauthorized users gain read access to documents they shouldn't see, violating data confidentiality and potentially exposing sensitive information.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized document visibility within a single space.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access and knowledge of document IDs

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kibana 8.19.8, 9.1.8, or 9.2.2

Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186

Restart Required: Yes

Instructions:

1. Download Kibana 8.19.8, 9.1.8, or 9.2.2 from Elastic website. 2. Stop Kibana service. 3. Backup configuration and data. 4. Install updated version. 5. Restart Kibana service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict Document Permissions

all

Tighten document-level permissions to limit which users can modify sharing settings

Configure Kibana role-based access control to restrict 'share' permissions

🧯 If You Can't Patch

  • Implement strict role-based access control to limit document modification permissions
  • Monitor Kibana audit logs for unauthorized sharing activity

🔍 How to Verify

Check if Vulnerable:

Check Kibana version via web interface or command line: ./bin/kibana --version

Check Version:

./bin/kibana --version

Verify Fix Applied:

Verify Kibana version is 8.19.8, 9.1.8, or 9.2.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized document sharing events in Kibana audit logs
  • Multiple document visibility changes from single user

Network Indicators:

  • HTTP POST requests to document sharing endpoints with 'global' parameter

SIEM Query:

source="kibana" AND (event.action:"share" OR event.category:"access") AND http.request.method:POST AND url.path:"/api/saved_objects/*"

📊 Metadata

CVE ID: CVE-2025-68386
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-863
EPSS Score: 0.04% exploit probability (10.3th percentile)
Published: December 18, 2025
Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68386, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)