CVE-2026-56699
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.
View on NVDAnalysis
Wazuh Manager en versiones previas a 5.0.0-beta3 presenta una vulnerabilidad crítica que permite a agentes inscritos inyectar operaciones NDJSON en solicitudes de OpenSearch. Un atacante puede manipular alertas, borrar documentos y alterar el estado del SIEM utilizando los privilegios de administrador del servidor. Esta falla compromete la integridad de los registros de seguridad y la visibilidad de toda la infraestructura monitoreada.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-74EPSS
No EPSS score yet (CVE may be too fresh).
Technical description
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.