{"id":"CVE-2021-22136","details":"In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.","modified":"2026-04-10T04:29:57.864400Z","published":"2021-05-13T18:15:08.993Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"0"},{"fixed":"dd7258ddc9c294cb93a248c2fa0d09e886596d91"},{"introduced":"ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"},{"fixed":"b7f9a41f486a2910ef22a1274ec734219c35ca3e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.8.15"},{"introduced":"7.0.0"},{"fixed":"7.12.0"}]}}],"versions":["7.0-known-good","v4.0.0-beta1","v4.0.0-beta1.1","v4.0.0-beta2","v4.0.0-beta3","v4.2.0-beta1","v5.0.0-alpha5","v6.0.0-alpha1","v6.0.0-alpha2","v6.7.0","v6.7.1","v6.7.2","v6.8.0","v6.8.1","v6.8.10","v6.8.11","v6.8.12","v6.8.13","v6.8.14","v6.8.2","v6.8.3","v6.8.4","v6.8.5","v6.8.6","v6.8.7","v6.8.8","v6.8.9","v7.0.0-alpha1","v7.0.0-alpha2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}