CVE-2026-56699
CRITICAL Exploitation: PoC
10.0
CVSS 3.1
Description
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.
Metadata
Severity & Metrics
10.0
CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| wazuh | wazuh | — | 5.0.0-beta1 < 5.0.0-beta3, 5.0.0-beta3 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-74 | cna | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 10.0 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| 10.0 | CRITICAL | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (2)
- GitHub Security Advisory (GHSA-ff9g-85jq-r3g3) https://github.com/wazuh/wazuh/security/advisories/GHSA-ff9g-85jq-r3g3
- VulnCheck Advisory: Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index https://www.vulncheck.com/advisories/wazuh-manager-ndjson-injection-in-inventory-sync-via-agent-controlled-datavalue-index