diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
new file mode 100644
index 0000000000000..6d622e5fb5248
--- /dev/null
+++ b/docs/changelog/112400.yaml
@@ -0,0 +1,5 @@
+pr: 112400
+summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
+area: Infra/Core
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
index 0f8539e69bb32..3279bda791c52 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
@@ -114,7 +114,9 @@ public static Map<String, List<String>> parseFile(Path path, Logger logger, Stri
         }
 
         try {
-            Settings settings = Settings.builder().loadFromPath(path).build();
+            // create this here so it's in an allowed stack frame
+            var file = Files.newInputStream(path);
+            Settings settings = Settings.builder().loadFromStream(path.getFileName().toString(), file, false).build();
 
             Map<DN, Set<String>> dnToRoles = new HashMap<>();
             Set<String> roles = settings.names();