CVE-2026-56699
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.
Ver en NVDAnálisis
Wazuh Manager en versiones previas a 5.0.0-beta3 presenta una vulnerabilidad crítica que permite a agentes inscritos inyectar operaciones NDJSON en solicitudes de OpenSearch. Un atacante puede manipular alertas, borrar documentos y alterar el estado del SIEM utilizando los privilegios de administrador del servidor. Esta falla compromete la integridad de los registros de seguridad y la visibilidad de toda la infraestructura monitoreada.
Roles relevantes
Severidad
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-74EPSS
Sin puntaje EPSS aún (CVE muy reciente).
Descripción técnica
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.