It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HElastic Cloud Enterprise
APPElastic3.0.0 β 3.7.2 (bez)
π’
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
Related vulnerabilities
CVE-2025-37729CRITICAL9.1PL βten sam produkt
Elastic Cloud Enterprise β Server-Side Template Injection (SSTI) w silniku Jinjava
CVE-2025-37736HIGH8.8ten sam produkt
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonl...
CVE-2023-31418HIGH7.5ten sam produkt
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...
CVE-2018-3828HIGH7.5ten sam produkt
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was d...
CVE-2022-23716MEDIUM5.3ten sam produkt
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key us...