Skip to main content

Wazuh CVE-2026-34150

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-07-17 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Default-config password-less enrollment enables unauthenticated network exploitation (AV:N/PR:N) at low complexity; impact is a daemon crash, so availability only (A:H, C:N/I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 00:29 vuln.today
CVE Published
Jul 17, 2026 - 00:16 cve.org
HIGH 7.5

DescriptionCVE.org

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 1.0.0 and above, prior to 4.14.5, a heap buffer overflow in wazuh-analysisd allows an unauthenticated remote attacker to crash the Wazuh manager's analysis engine, causing complete loss of SIEM alert processing. The attack exploits the default configuration shipped in the official wazuh/wazuh-docker deployment with default configuration. An attacker can enroll with authd without a password to obtain a valid agent ID and encryption key, connect to remoted over the Wazuh agent protocol, and inject rootcheck events containing  {key: value}  patterns longer than 30 bytes that trigger a sprintf overflow of a 30-byte buffer in W_JSON_ParseRootcheck, corrupting the heap and crashing wazuh-analysisd so that all alert processing silently stops while the dashboard and API keep showing stale data.

AnalysisAI

Denial of service in Wazuh's analysis engine (wazuh-analysisd) lets an unauthenticated remote attacker permanently halt SIEM alert processing on Wazuh manager versions 1.0.0 through 4.14.4. Because the official wazuh/wazuh-docker deployment ships with password-less agent enrollment enabled by default, an attacker can register as an agent and send a crafted rootcheck event that overflows a fixed 30-byte heap buffer, crashing the daemon while the dashboard and API keep showing stale data - silently blinding the SIEM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach manager authd/remoted ports
Delivery
Enroll password-less for agent key
Exploit
Connect to remoted via agent protocol
Execution
Inject rootcheck event over 30 bytes
Persist
Overflow sprintf buffer in analysisd
Impact
Crash wazuh-analysisd, halt alert processing

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Wazuh manager's remoted (agent protocol, default TCP 1514) and authd (enrollment, default TCP 1515) services, plus the password-less agent enrollment that is enabled in the official wazuh/wazuh-docker default configuration - that default is the exact precondition, letting an unauthenticated attacker obtain a valid agent ID and key without credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine, easily reachable availability risk rather than an inflated high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a default Wazuh Docker manager enrolls with authd without a password, obtaining a valid agent ID and encryption key. Using those credentials over the Wazuh agent protocol to remoted, the attacker injects a rootcheck event whose {key: value} pattern exceeds 30 bytes, triggering the sprintf overflow that crashes wazuh-analysisd. …
Remediation Vendor-released patch: 4.14.5 - upgrade the Wazuh manager to 4.14.5 or later, which corrects the W_JSON_ParseRootcheck buffer handling; for containerized installs, pull the updated wazuh/wazuh-docker image built on 4.14.5 and redeploy. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable password-less agent enrollment on all Wazuh managers by setting auth_pass_only: true in /var/ossec/etc/ossec.conf, restrict network access to manager ports 1514-1515 to known agent CIDR ranges via firewall rules, and enable verbose rootcheck event logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-34150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy