Skip to main content

Wazuh Manager CVE-2026-56699

| EUVDEUVD-2026-44630 CRITICAL
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-07-15 VulnCheck GHSA-r2pm-mgrm-39hq
10.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Requires a valid enrolled agent so PR:L not PR:N; injection into the shared OpenSearch backend under admin credentials changes scope (S:C) with full C/I/A loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:28 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
CRITICAL 10.0

DescriptionCVE.org

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

AnalysisAI

NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operations because the DataValue.index field is not escaped when the manager builds inventory-sync bulk requests. Because those requests execute under the manager's OpenSearch admin credentials, a single low-trust agent can delete documents, tamper with alerts, and manipulate SIEM state across all other agents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enroll or compromise a Wazuh agent
Delivery
Craft inventory with malicious DataValue.index
Exploit
Inject NDJSON action lines into bulk request
Execution
Manager executes bulk as OpenSearch admin
Persist
Delete or tamper alert documents
Impact
Cross-agent SIEM state manipulation

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control a Wazuh agent that is already enrolled with the target manager, and the manager must process that agent's inventory through the inventory-sync path that builds OpenSearch _bulk (NDJSON) requests - the concrete injection point is the unescaped DataValue.index field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reporter's CVSS 4.0 score is a maximal 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N with high vulnerable- and subsequent-system C/I/A), reflecting network reach, low complexity, and total compromise of SIEM data confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises or maliciously deploys a single endpoint running an enrolled Wazuh agent and crafts inventory data whose DataValue.index field contains embedded NDJSON newlines and action lines. When the manager syncs that inventory to OpenSearch under its admin credentials, the smuggled delete/update operations execute, letting the attacker erase their own intrusion alerts and tamper with other agents' SIEM records. …
Remediation Vendor-released patch: 5.0.0-beta3 - upgrade the Wazuh Manager to 5.0.0-beta3 or later per advisory GHSA-ff9g-85jq-r3g3 (https://github.com/wazuh/wazuh/security/advisories/GHSA-ff9g-85jq-r3g3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Wazuh Manager deployments and document installed versions; implement strict controls on agent enrollment and credential distribution; enable verbose logging for all OpenSearch database operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wazuh

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2021-44079 CRITICAL POC
9.8 Nov 22

In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman

CVE-2026-25769 CRITICAL POC
9.1 Mar 17

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi

CVE-2018-19666 HIGH POC
7.8 Nov 29

The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa

CVE-2024-1243 HIGH POC
7.2 Jun 11

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al

CVE-2021-41821 MEDIUM POC
6.5 Sep 29

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o

CVE-2024-32038 CRITICAL
9.8 Apr 19

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C

CVE-2026-25770 CRITICAL
9.1 Mar 17

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth

CVE-2026-30893 CRITICAL POC
9.0 Apr 29

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that

CVE-2023-42455 HIGH
8.8 Oct 09

Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln

CVE-2022-40497 HIGH
8.8 Sep 28

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe

CVE-2021-26814 HIGH
8.8 Mar 06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileg

Share

CVE-2026-56699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy