CVE-2026-32983
Improper SSL/TLS Renegotiation in Wazuh Manager Causes DoS
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | to 4.7.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-32983 is a denial of service (DoS) vulnerability in the Wazuh Manager authd service, affecting wazuh-manager versions up to 4.7.3.
The vulnerability occurs because the authd service does not properly restrict client-initiated SSL/TLS renegotiation requests.
Remote attackers can exploit this by sending excessive SSL/TLS renegotiation requests, which consume excessive CPU resources and cause the authd service to become unavailable.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to cause a denial of service on the Wazuh Manager authd service.
By sending excessive SSL/TLS renegotiation requests, attackers can consume CPU resources, making the authd service unavailable.
This unavailability can disrupt security monitoring and management functions that rely on the Wazuh Manager, potentially affecting system stability and security operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Wazuh Manager authd service for excessive SSL/TLS renegotiation requests from clients. Network traffic analysis tools can be used to identify an unusually high number of renegotiation attempts targeting the authd service.
Commands to detect this may include using packet capture tools like tcpdump or Wireshark to filter SSL/TLS renegotiation packets to the authd service port. For example:
- tcpdump -i <interface> 'tcp port <authd_port> and (((tcp[13] & 8) != 0) or (tcp[((tcp[12] & 0xf0) >> 2):1] = 0x16))'
- Using Wireshark to filter for TLS handshake renegotiation messages by applying the filter: "ssl.record.version == 0x0303 and ssl.handshake.type == 0x01" and looking for repeated renegotiation requests.
Additionally, monitoring CPU usage on the server running the authd service can help detect abnormal spikes caused by excessive renegotiation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include limiting or disabling client-initiated SSL/TLS renegotiation on the Wazuh Manager authd service to prevent excessive renegotiation requests.
If possible, upgrade the wazuh-manager package to a version later than 4.7.3 where this vulnerability is fixed.
In the meantime, consider implementing network-level protections such as firewall rules or rate limiting to restrict the number of SSL/TLS renegotiation requests reaching the authd service.
Monitoring and alerting on unusual CPU usage or network traffic patterns targeting the authd service can also help in early detection and response.