CVE-2026-33467
Analyzed Analyzed - Analysis Complete
Improper Signature Verification in Elastic Package Registry Enables Tampering

Publication date: 2026-04-28

Last updated on: 2026-05-05

Assigner: Elastic

Description
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elastic elastic_package_registry to 1.38.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Verification of Cryptographic Signature (CWE-347) in the Elastic Package Registry. It means that the system does not correctly verify the cryptographic signature of packages. As a result, an attacker who can intercept network traffic or influence the contents served to a self-hosted registry could substitute a tampered package without the integrity check detecting the alteration.

Impact Analysis

The vulnerability can allow an attacker to deliver tampered packages to your Elastic Package Registry without detection. This could lead to the installation of malicious or altered software components, potentially compromising the integrity of your system or applications that rely on these packages.

Compliance Impact

This vulnerability involves improper verification of cryptographic signatures in the Elastic Package Registry, which could allow an attacker to substitute tampered packages without detection.

Such a flaw could potentially impact compliance with standards and regulations that require data integrity and protection against unauthorized modification, such as GDPR and HIPAA.

Specifically, the inability to ensure package integrity might lead to unauthorized changes in software components, which could compromise the security and reliability of systems handling sensitive data.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart