Skip to main content

Wazuh CVE-2026-56401

| EUVDEUVD-2026-42261 HIGH
NULL Pointer Dereference (CWE-476)
2026-07-08 disclosure@vulncheck.com GHSA-h67j-gxv6-33g4
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Enrolled agent needed so PR:L; network-reachable message with straightforward crafting gives AV:N/AC:L; impact is availability-only (A:H) with no confidentiality or integrity effect and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 15:01 EUVD
Analysis Generated
Jul 08, 2026 - 14:50 vuln.today

DescriptionCVE.org

Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventory_sync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting the optional id field, causing wazuh-modulesd to crash when dereferencing data->id()->string_view() without null validation, resulting in denial of service.

AnalysisAI

Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or enroll a Wazuh agent
Delivery
Craft verifier-valid DataValue omitting id field
Exploit
Send to manager inventory_sync
Execution
Dereference null data->id()->string_view()
Persist
Crash wazuh-modulesd (DoS)
Impact
Repeat to sustain outage

Vulnerability AssessmentAI

Exploitation Exploitation requires an enrolled Wazuh agent with valid credentials able to reach the manager's inventory_sync interface (CVSS PR:L, AV:N, AC:L, UI:N) - the attacker must be able to send an inventory_sync FlatBuffer DataValue message that passes FlatBuffer verification while deliberately omitting the optional id field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:N/VA:H) scores 7.1 and accurately captures the profile: network-reachable, low complexity, no user interaction, but requiring an already-enrolled agent (PR:L) and yielding only availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised an endpoint running a Wazuh agent, or who possesses valid agent enrollment credentials, crafts an inventory_sync DataValue FlatBuffer message that passes verification but omits the optional id field and sends it to the manager. When wazuh-modulesd calls string_view() on the absent id, the process crashes, halting inventory synchronization; the attacker can repeat this to keep the module down. …
Remediation Vendor-released patch: upgrade wazuh-modulesd / Wazuh to 5.0.0-beta3 or later, which adds null validation before dereferencing the optional DataValue id field (fix commit https://github.com/wazuh/wazuh/commit/3adf4f87942705aa0ceeba1e145c259cc9dcd242; advisory GHSA-6hxp-c9x3-qc7p). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Wazuh manager deployments and document current version; restrict agent enrollment to pre-approved systems only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wazuh

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2021-44079 CRITICAL POC
9.8 Nov 22

In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman

CVE-2026-25769 CRITICAL POC
9.1 Mar 17

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi

CVE-2018-19666 HIGH POC
7.8 Nov 29

The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa

CVE-2024-1243 HIGH POC
7.2 Jun 11

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al

CVE-2021-41821 MEDIUM POC
6.5 Sep 29

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o

CVE-2026-56699 CRITICAL
10.0 Jul 15

NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation

CVE-2024-32038 CRITICAL
9.8 Apr 19

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C

CVE-2026-25770 CRITICAL
9.1 Mar 17

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth

CVE-2026-30893 CRITICAL POC
9.0 Apr 29

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that

CVE-2023-42455 HIGH
8.8 Oct 09

Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln

CVE-2022-40497 HIGH
8.8 Sep 28

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe

Share

CVE-2026-56401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy