{"id":"CVE-2025-68422","details":"Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.","aliases":["BIT-elk-2025-68422","BIT-kibana-2025-68422"],"modified":"2026-04-10T05:35:06.595925Z","published":"2025-12-18T23:15:49.873Z","related":["CGA-p9h8-ff2v-6c79"],"references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"},{"last_affected":"f6e2f2e44cc0a6a11435f1b6350f735e23bef4b4"},{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"28cf679904329ed50de370ff1e1e71f1b57996a1"},{"introduced":"504d6bfa94cca17fabb76e06152c30c4f0c3efdd"},{"fixed":"6c427d979e2b3a65eea87f31ba4b65dc579ee2f0"},{"introduced":"0"},{"last_affected":"68626ce831ffb8e4138bb24ba8762a15a569a41c"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"last_affected":"7.17.29"},{"introduced":"8.0.0"},{"fixed":"8.19.7"},{"introduced":"9.0.0"},{"fixed":"9.1.7"},{"introduced":"0"},{"last_affected":"9.2.0"}]}}],"versions":["7.0-known-good","deploy@1693594780","deploy@1693609987","deploy@1693853982","deploy@1693860790","deploy@1693866333","deploy@1694087994","deploy@1694162455","deploy@1694506029","deploy@1694683198","deploy@1695286747","deploy@1696328885","deploy@1696415195","deploy@1696508231","deploy@1696618725","deploy@1696873111","deploy@1697028216","deploy@1697232175","deploy@1697564183","deploy@1698046713","deploy@1698657637","deploy@1699260155","deploy@1699865290","deploy@1700491293","deploy@1701160888","deploy@1701687168","deploy@1702284899","deploy@1702367069","deploy@1702879551","deploy@1702903357","deploy@1703484304","deploy@1704089101","deploy@1704693922","deploy@1705298718","deploy@1705306975","deploy@1705903520","deploy@1706508321","deploy@1707113127","deploy@1707717945","deploy@1708322739","deploy@1708927574","deploy@1709532332","deploy@1709533819","deploy@1710137117","deploy@1710146776","deploy@1710741924","deploy@1711370131","deploy@1711952105","deploy@1712566963","deploy@1713161715","deploy@1713766425","deploy@1714371303","deploy@1714976069","deploy@1715580861","deploy@1716185667","deploy@1716790412","deploy@1716800745","deploy@1717395230","deploy@1717401777","deploy@1718000036","deploy@1718616070","deploy@1719209622","deploy@1719814351","deploy@1720419201","deploy@1721023892","deploy@1721628835","deploy@1722233551","deploy@1722838314","deploy@1723443177","deploy@1724047965","deploy@1724652827","deploy@1725257503","deploy@1725862301","deploy@1726473511","deploy@1727071987","deploy@1727676838","deploy@1728281754","deploy@1728886420","deploy@1729491328","deploy@1730095989","deploy@1730700921","deploy@1731305644","deploy@1731910526","deploy@1732515196","deploy@1733120035","deploy@1733724770","deploy@1734329529","deploy@1734934371","deploy@1735539127","deploy@1736144018","deploy@1736748791","deploy@1737353792","deploy@1737958429","deploy@1738563299","deploy@1739168190","deploy@1739772912","deploy@1740377517","deploy@1740982600","deploy@1741587091","deploy@1742191921","deploy@1742796690","deploy@1743401509","deploy@1744006300","deploy@1744611164","deploy@1745272860","deploy@1745820726","deploy@1746425571","deploy@1747030444","deploy@1747635089","deploy@1748239962","deploy@1748844884","deploy@1748942782","deploy@1749449628","deploy@1750054502","deploy@1750659199","deploy@1751264043","deploy@1751277018","deploy@1751868905","deploy@1752473612","deploy@1753078461","deploy@1753683246","deploy@1754288252","deploy@1754931892","deploy@1755497723","deploy@1756102496","deploy@1756707119","deploy@1757311879","deploy@1757916930","deploy@1758521525","deploy@1759126366","test-depl-20231013154558","test-depl-20231025084603","v4.0.0-beta1","v4.0.0-beta1.1","v4.0.0-beta2","v4.0.0-beta3","v4.2.0-beta1","v5.0.0-alpha5","v6.0.0-alpha1","v6.0.0-alpha2","v7.0.0-alpha1","v7.0.0-alpha2","v7.16.0","v7.16.1","v7.17.0","v7.17.1","v7.17.10","v7.17.11","v7.17.12","v7.17.13","v7.17.14","v7.17.15","v7.17.16","v7.17.17","v7.17.18","v7.17.19","v7.17.2","v7.17.20","v7.17.21","v7.17.22","v7.17.23","v7.17.24","v7.17.25","v7.17.26","v7.17.27","v7.17.28","v7.17.29","v7.17.3","v7.17.4","v7.17.5","v7.17.6","v7.17.7","v7.17.8","v7.17.9","v8.0.0-alpha1","v8.0.0-alpha2","v8.19.0","v8.19.1","v8.19.2","v8.19.3","v8.19.4","v8.19.5","v8.19.6","v9.1.0","v9.1.1","v9.1.2","v9.1.3","v9.1.4","v9.1.5","v9.1.6","v9.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68422.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}