Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Reserved. Details will be published at disclosure.
AnalysisAI
Local privilege-context input validation flaw in Cribl Edge versions prior to 4.17.1 allows an authenticated local user with low privileges to compromise confidentiality, integrity, and availability of the Edge node. Tagged as an information disclosure issue by the vendor, the vulnerability scores CVSS 4.0 8.5 (high) but carries a very low EPSS of 0.02%, and no public exploit identified at time of analysis. A vendor patch is available and the issue is tracked as EUVD-2026-29355.
Technical ContextAI
Cribl Edge is a lightweight data collection and observability agent deployed on endpoints and servers to forward logs, metrics, and events to downstream pipelines. The root cause is classified as CWE-20 (Improper Input Validation), meaning the Edge agent fails to properly validate input it receives - likely from a local interface, configuration channel, or IPC path given the AV:L vector - before acting on it. Because the affected CPE is cpe:2.3:a:cribl:cribl_edge:*:*:*:*:*:*:*:*, every prior 4.x build of the Edge component (not the broader Cribl Stream or Cloud control plane) inherits the defect until upgraded to 4.17.1.
RemediationAI
Vendor-released patch: upgrade Cribl Edge to version 4.17.1 or later, as documented in the v4.17.1 security fixes release notes at https://docs.cribl.io/edge/release-notes/release-v4171#security-fixes and announced via the Cribl trust portal at https://trust.cribl.io/notifications. Because exploitation requires local access with low privileges (AV:L/PR:L), interim compensating controls until patching is complete include restricting interactive and remote shell access to hosts running Edge (limits the local attacker pool), tightening file-system and IPC permissions on Edge's working directories and sockets so only the Edge service account can write to them, and auditing which low-privileged service accounts are co-resident on Edge hosts; the trade-off is operational friction for legitimate admins and observability tooling that may share the host.
More in Cribl Edge
View allSame weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29355
GHSA-v5fp-5xmq-m2x6