CVE-2025-12149 MEDIUM

CVE-2025-12149: Unauthorized access to documents protected by Document-Level Security (DLS), when Signals watches include a search query involving protected documents

Vendor Floragunn

Product Search Guard FLX

Weakness CWE-200 · Info exposure

Published November 14, 2025

Last update November 14, 2025

View on NVD All CVEs

CVSS base score

6.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices.

Key dates

02Disclosure timeline

November 14, 2025 CVE published

November 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-12149

Related vulnerabilities

CVE-2025-12149: Unauthorized access to documents protected by Document-Level Security (DLS), when Signals watches include a search query involving protected documents

01Description

02Disclosure timeline

03References

04Related CVE