x-pack-security is vulnerable to information disclosure. When a user runs the same query as queried by another more privileged user, the scrolling search can leak fields that should be hidden, resulting in the user gaining additional permissions against a restricted index.