CVE-2025-12149 is a vulnerability identified in floragunn's Search Guard FLX, a security plugin for Elasticsearch that provides fine-grained access control including Document-Level Security (DLS). In versions 3.1.2 and earlier, while DLS is generally enforced correctly, a logic flaw exists when searches are initiated through Signal's watch feature. Signal's watch is a mechanism that triggers searches based on predefined conditions or alerts. Due to improper enforcement of DLS rules in this context, users with limited privileges can bypass document-level restrictions and retrieve all documents within the queried indices, regardless of their access rights. This results in unauthorized exposure of sensitive data. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-863 (Incorrect Authorization). The CVSS v4.0 base score is 6.0, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. No patches or exploits are currently publicly available, but the flaw represents a significant risk to confidentiality in environments relying on Search Guard FLX for data protection.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored in Elasticsearch clusters secured by Search Guard FLX. Industries such as finance, healthcare, government, and critical infrastructure that rely on Elasticsearch for logging, monitoring, or data analytics could have sensitive documents exposed to unauthorized internal users or attackers who have gained low-level access. The bypass of DLS means that data segregation policies are effectively nullified when searches are triggered via Signal's watch, potentially leading to data leaks, regulatory non-compliance (e.g., GDPR), and reputational damage. Although the vulnerability does not impact data integrity or availability, the exposure of sensitive information can facilitate further attacks or insider threats. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks.

Organizations should immediately review their use of Signal's watch feature in Search Guard FLX and consider disabling or restricting it until a patch is available. Implement strict access controls to limit which users can configure or trigger Signal's watch searches. Monitor logs for unusual search activity initiated via Signal's watch. If possible, upgrade to a version of Search Guard FLX where this vulnerability is fixed once released. In the interim, apply compensating controls such as network segmentation, enhanced monitoring, and alerting on data access anomalies. Conduct thorough audits of Elasticsearch indices to identify any unauthorized data access. Engage with floragunn support or security advisories for updates and patches. Additionally, review and reinforce overall privilege management to minimize the risk of privilege escalation that could exploit this vulnerability.