CVE-2025-25010: 
Kibana vulnerability analysis and mitigation

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reportinguser role which incorrectly has the ability to access all Kibana Spaces. The vulnerability affects Kibana versions 9.0.0 through 9.0.5 and 9.1.0 through 9.1.2, and was disclosed on August 28, 2025. This vulnerability has been assigned CVE-2025-25010 and affects deployments that assign the built-in reportinguser role to end users, which is not assigned by default (Elastic Discussion).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring Low privileges (PR:L) and No user interaction (UI:N). The scope is Unchanged (S:U) with High impact on Confidentiality (C:H) but No impact on Integrity (I:N) and Availability (A:N) (AttackerKB).

The reporting_user role in affected versions incorrectly grants users access to all Kibana Spaces with read access to Discover, Dashboards, Visualization Library, and Canvas, including the ability to generate reports in each. However, the vulnerability does not violate configured index privileges, meaning users will not gain access to additional user documents or indices unless their existing index privileges grant such access (Elastic Discussion).

The vulnerability has been patched in Kibana versions 9.0.6 and 9.1.3. For users unable to upgrade, administrators should revoke the reportinguser role from end users and instead grant access to reporting functionality via custom roles with appropriate access permissions. Additionally, any API Keys created by users with the reportinguser role in affected versions should be invalidated to prevent unauthorized access (Elastic Discussion).