Skip to main content
5 CVEs HIGH CVSS 7.5

Wazuh Memory Safety and Access Control Vulnerabilities

2026-07-17

CVE-2026-34150 HIGH

Denial of service in Wazuh's analysis engine (wazuh-analysisd) lets an unauthenticated remote attacker permanently halt SIEM alert processing on Wazuh manager versions 1.0.0 through 4.14.4. Because the official wazuh/wazuh-docker deployment ships with password-less agent enrollment enabled by default, an attacker can register as an agent and send a crafted rootcheck event that overflows a fixed 30-byte heap buffer, crashing the daemon while the dashboard and API keep showing stale data - silently blinding the SIEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

7.5
CVSS
CVE-2026-39359 HIGH

Sensitive file disclosure in the Wazuh Manager (versions 4.0.0-4.10.3 and 4.11.0-4.14.4) allows a malicious enrolling agent to exfiltrate manager secrets by abusing the group parameter during enrollment. The authd enrollment daemon fails to filter path traversal ("..") sequences in the agent-selected group name, so remoted later builds shared-configuration paths that reach /var/ossec/etc and stream files such as client.keys, ossec.conf, and internal certificates to the attacker-controlled agent. There is no public exploit identified at time of analysis, but the network-reachable, unauthenticated CVSS 7.5 profile makes this a meaningful confidentiality risk for exposed manager enrollment services.

7.5
CVSS
CVE-2026-33754 MEDIUM

Memory exhaustion denial-of-service in Wazuh's cluster protocol parser affects all deployments running versions 3.9.0 through 4.14.4. The cluster service reads an attacker-supplied payload length from an incoming message header and allocates memory of that size before performing any authentication or decryption, enabling unauthenticated adjacent-network attackers to exhaust system memory and crash the cluster service. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch 4.14.5 is available.

6.5
CVSS
CVE-2026-44251 MEDIUM PATCH

Remote denial-of-service and potential heap corruption in the Wazuh manager's wazuh-remoted daemon allows any enrolled agent to crash the manager's agent-communication process, instantly severing all agent connections across the entire deployment. Affected versions span 3.0.0 through 4.14.4; a secondary code path triggered by the same underflow may permit heap memory write primitives beyond pure DoS. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation barrier - any enrolled agent suffices - makes it a meaningful insider or supply-chain risk for Wazuh-dependent SOC environments.

6.5
CVSS
CVE-2026-33434 MEDIUM

Rate limit bypass in Wazuh's /events endpoint allows authenticated network users to inject events into analysisd beyond the administrator-configured global rate limit. A logic error in CheckRateLimitsMiddleware.dispatch() causes the endpoint-specific counter (hardcoded at 30 requests/min) to unconditionally overwrite the result of the global rate limit check, meaning the global max_request_per_minute threshold is silently ignored for this endpoint. Versions 4.6.0 through 4.14.4 are affected; no public exploit code has been identified and the issue is not listed in CISA KEV.

4.3
CVSS

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy