CVE-2026-56699

wazuh · wazuh

Wazuh Manager fails to sanitize input in the DataValue.index field, allowing unauthenticated agents to perform NDJSON injection attacks against the manager.

Executive summary

A critical injection vulnerability in Wazuh Manager allows unauthenticated agents to execute arbitrary operations, potentially compromising the integrity of the SIEM platform.

Vulnerability

The vulnerability stems from improper neutralization of special elements in the DataValue.index field during the construction of OpenSearch bulk requests. This allows an attacker to inject arbitrary NDJSON operations, which are then processed by the manager using its elevated administrative privileges.

Business impact

Successful exploitation allows an attacker to manipulate the SIEM state, including the deletion or modification of security alerts and logs. With a CVSS score of 10, this flaw poses a catastrophic risk, as it allows for the subversion of security monitoring capabilities, potentially masking malicious activity across the entire infrastructure.

Remediation

Immediate Action: Upgrade all Wazuh Manager instances to version 5.0.0-beta3 or higher to resolve the sanitization flaw.

Proactive Monitoring: Monitor OpenSearch and Wazuh logs for unexpected bulk request operations or unauthorized modifications to security indices.

Compensating Controls: Implement strict network segmentation and egress filtering to ensure only trusted agents can communicate with the Wazuh Manager.

Exploitation status

Public Exploit Available: No confirmed public exploit (weaponized or GitHub PoC) is available.

Analyst recommendation

The severity of this vulnerability necessitates an immediate upgrade to the patched version. Security teams should prioritize this remediation to maintain the integrity of their security monitoring and incident response capabilities.