{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-25010", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2025-01-31T15:28:16.917Z", "datePublished": "2025-08-28T15:52:08.670Z", "dateUpdated": "2026-02-26T17:47:51.770Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kibana", "repo": "https://github.com/kibana", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "9.0.5", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.1.2", "status": "affected", "version": "9.1.0", "versionType": "semver"}]}], "datePublic": "2025-08-28T15:48:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Incorrect authorization in Kibana can lead to privilege escalation via the built-in <code>reporting_user</code>&nbsp;role which incorrectly has the ability to access all Kibana Spaces.</p><br>"}], "value": "Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user\u00a0role which incorrectly has the ability to access all Kibana Spaces."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2025-08-28T15:52:08.670Z"}, "references": [{"url": "https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426"}], "source": {"discovery": "UNKNOWN"}, "title": "Kibana privilege escalation via reporting_user role", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25010", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-29T03:55:25.203983Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:47:51.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25010", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-29T03:55:25.203983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T18:19:07.344Z"}}], "cna": {"title": "Kibana privilege escalation via reporting_user role", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/kibana", "vendor": "Elastic", "product": "Kibana", "versions": [{"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.0.5"}, {"status": "affected", "version": "9.1.0", "versionType": "semver", "lessThanOrEqual": "9.1.2"}], "defaultStatus": "unaffected"}], "datePublic": "2025-08-28T15:48:00.000Z", "references": [{"url": "https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user\u00a0role which incorrectly has the ability to access all Kibana Spaces.", "supportingMedia": [{"type": "text/html", "value": "<p>Incorrect authorization in Kibana can lead to privilege escalation via the built-in <code>reporting_user</code>&nbsp;role which incorrectly has the ability to access all Kibana Spaces.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2025-08-28T15:52:08.670Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25010", "state": "PUBLISHED", "dateUpdated": "2026-02-26T17:47:51.770Z", "dateReserved": "2025-01-31T15:28:16.917Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2025-08-28T15:52:08.670Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "68DCA909-24B1-4DFB-9AF7-0B94E40177AD", "versionEndExcluding": "9.0.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C657F62-975E-479B-A274-6B2A54DC2137", "versionEndExcluding": "9.1.3", "versionStartIncluding": "9.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user\u00a0role which incorrectly has the ability to access all Kibana Spaces."}], "id": "CVE-2025-25010", "lastModified": "2025-10-01T18:45:24.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "bressers@elastic.co", "type": "Secondary"}]}, "published": "2025-08-28T16:15:34.460", "references": [{"source": "bressers@elastic.co", "tags": ["Patch", "Issue Tracking", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: Kibana privilege escalation", "id": "2391497", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391497"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-25010", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2025-08-28T15:52:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25010\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25010\nhttps://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426"], "threat_severity": "Moderate"}

{"created": "2025-08-28T21:21:38.354366+00:00", "updated": "2025-08-28T21:21:38.354422+00:00", "vendors": ["elastic", "elastic$PRODUCT$kibana"]}