Search Guard v15 and Kibana Plugin v4 release - Critical security issue fixed

Hi all,
we're proud to announce that we have released Search Guard v15 today!
This release contains a **[critical security fix](** for the Document- and Field-Level security functionality, so users are urged to upgrade soon!
**DLSFLS leaking information when "do not fail on forbidden" is activated**

If the multitenancy module is installed and the "do not fail on forbidden" feature is activated in sg_config like:
      do_not_fail_on_forbidden: true

The DLS/FLS module can leak information if the user does not have permissions for all indices in a query or get action. This does not happen if "do not fail on forbidden" is set to false, or not set at all.

The release also contains a number of other fixes and features, for example the possibility to disable Search Guard in elasticsearch.yml temporarily without removing it, or setting the TTL of the internal user cache. You can read about all features and fixes in the [Search Guard Changelog](

We’ve also released v4 of the Kibana plugin, you can find all changes in the Kibana plugin changelog.

Thanks for your support and input!
Have fun,
Jochen and the Search Guard team