Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Reserved. Details will be published at disclosure.
AnalysisAI
Local privilege-bound input validation flaw in Cribl Edge versions prior to 4.17.1 allows an authenticated low-privileged local user to achieve high impact on confidentiality, integrity, and availability of the affected node. The issue is tracked as CWE-20 (Improper Input Validation) and was reported by Cribl itself with a vendor patch already available; no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Technical ContextAI
Cribl Edge is a distributed data collection and processing agent deployed on endpoints and servers to forward observability data (logs, metrics, traces) to Cribl Stream and downstream destinations. The root cause is classified as CWE-20 (Improper Input Validation), meaning the affected component accepts input that is not properly sanitized or constrained before it influences a security-relevant operation. The CPE cpe:2.3:a:cribl:cribl_edge:*:*:*:*:*:*:*:* combined with the EUVD range 'Cribl Edge 0 <4.17.1' indicates all versions from initial release up to but not including 4.17.1 are vulnerable. Because the CVSS 4.0 vector is AV:L/PR:L, the input that triggers the flaw is supplied through a local interface (such as a local CLI, configuration file, IPC, or local management endpoint) that requires an already-authenticated low-privileged account on the host where the Edge agent runs.
RemediationAI
Vendor-released patch: upgrade Cribl Edge to version 4.17.1 or later as documented in the v4.17.1 security fixes release notes at https://docs.cribl.io/edge/release-notes/release-v4171#security-fixes, and monitor https://trust.cribl.io/notifications for any follow-up advisories. Because exploitation requires local access with at least low privileges, interim compensating controls until patching include restricting interactive and remote-shell access on hosts running Cribl Edge to a minimal set of trusted administrators, tightening filesystem permissions on Cribl Edge configuration directories and Unix sockets / local API endpoints so non-admin users cannot interact with them, and auditing any local management commands or scripts exposed to lower-privileged service accounts (trade-off: may break automation that runs under non-admin service accounts and increases operational friction for legitimate troubleshooting). Avoid running Cribl Edge on multi-tenant hosts shared with untrusted users until the upgrade is applied.
More in Cribl Edge
View allSame weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29358
GHSA-2hpj-h2fj-2jg5