Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-56699

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

View on NVD

Analysis

Wazuh Manager en versiones previas a 5.0.0-beta3 presenta una vulnerabilidad crítica que permite a agentes inscritos inyectar operaciones NDJSON en solicitudes de OpenSearch. Un atacante puede manipular alertas, borrar documentos y alterar el estado del SIEM utilizando los privilegios de administrador del servidor. Esta falla compromete la integridad de los registros de seguridad y la visibilidad de toda la infraestructura monitoreada.

Relevant roles

CyberSecurityBackendNosqlLinuxCloudDocker

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-74

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

Published: 7/15/2026, 12:18:15 PM
Last modified: 7/15/2026, 1:17:26 PM

References

HomeEventsBlogResourcesTeam