CVE-2025-12149

Unauthorized access to documents protected by Document-Level Security (DLS), when Signals watches include a search query involving protected documents

Description

In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices.

INFO

Published Date :

2025-11-14T13:58:42.775Z

Last Modified :

2025-11-14T16:51:01.897Z

Source :

floragunn

AFFECTED PRODUCTS

The following products are affected by CVE-2025-12149 vulnerability.

Vendors	Products
Search-guard	Search Guard

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-12149.

URL	Resource
https://docs.search-guard.com/latest/changelog-searchguard-flx-3_1_3
https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_0
https://search-guard.com/cve-advisory/

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability