CVE 8.8 HIGH

Elastic Cloud Enterprise Improper Authorization_CVE-2025-37736

November 8, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:





post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name}

AI Analysis

Improper Authorization vulnerability allowing Privilege Escalation in Elastic Cloud Enterprise

Basic Information

ID CVE-2025-37736
Source elastic
Published Nov 7, 2025 at 22:08
Modified Nov 7, 2025 at 22:17

Affected Product

Vendor Elastic
Product Elastic Cloud Enterprise (ECE)
Version 3.8.0, 4.0.0
Affected Versions Elastic Elastic Cloud Enterprise (ECE) 3.8.0
Elastic Elastic Cloud Enterprise (ECE) 4.0.0

CWE Classification

CWE-863

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor Elastic
Product Elastic Cloud Enterprise (ECE)
Version 3.8.0, 4.0.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.