In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
[
{
"product": "Kibana",
"vendor": "Elastic",
"versions": [
{
"status": "affected",
"version": "before 7.12.0 and 6.8.15"
}
]
}
]