Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana.
AnalysisAI
Search Guard FLX versions 1.0.0 through 4.0.1 leak user credentials into audit logs when users authenticate through Kibana, exposing plaintext authentication material to any system administrator or user with log access. The vulnerability requires high-privilege access to exploit and affects only confidentiality, but the presence of credentials in audit logs creates a persistent information disclosure risk that persists across backup and archival systems.
Technical ContextAI
Search Guard FLX is an authentication and authorization plugin for Elasticsearch and Kibana developed by floragunn. The audit logging feature (CWE-532: Insertion of Sensitive Information into Log File) fails to sanitize or filter user credentials during the authentication flow when users log into Kibana. The affected versions span from the initial 1.0.0 release through 4.0.1, covering a broad range of Elasticsearch/Kibana deployments using Search Guard for access control. The root cause is inadequate log scrubbing at the audit layer, where credential material from login requests is recorded verbatim rather than masked, hashed, or omitted.
RemediationAI
Upgrade Search Guard FLX to version 4.1.0 or later, which remediates the credential logging issue. See the changelog at https://docs.search-guard.com/latest/changelog-searchguard-flx-4_1_0 for release details. In parallel, review and rotate any credentials that may have been logged in Elasticsearch audit logs from affected versions, particularly those visible in Kibana login events during the window of vulnerability exposure. If immediate upgrade is not feasible, implement access controls on audit logs to restrict viewing permissions to systems and personnel with legitimate operational need, and consider log retention minimization to reduce the persistence window of exposed credentials.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17507
GHSA-vx77-83rf-gfvg