CVE-2026-33467
Analyzed Analyzed - Analysis Complete

Improper Signature Verification in Elastic Package Registry Enables Tampering

Vulnerability report for CVE-2026-33467, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-28

Last updated on: 2026-05-05

Assigner: Elastic

Description

Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-28
Last Modified
2026-05-05
Generated
2026-07-06
AI Q&A
2026-04-29
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elastic elastic_package_registry to 1.38.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Verification of Cryptographic Signature (CWE-347) in the Elastic Package Registry. It means that the system does not correctly verify the cryptographic signature of packages. As a result, an attacker who can intercept network traffic or influence the contents served to a self-hosted registry could substitute a tampered package without the integrity check detecting the alteration.

Compliance Impact

This vulnerability involves improper verification of cryptographic signatures in the Elastic Package Registry, which could allow an attacker to substitute tampered packages without detection.

Such a flaw could potentially impact compliance with standards and regulations that require data integrity and protection against unauthorized modification, such as GDPR and HIPAA.

Specifically, the inability to ensure package integrity might lead to unauthorized changes in software components, which could compromise the security and reliability of systems handling sensitive data.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Impact Analysis

The vulnerability can allow an attacker to deliver tampered packages to your Elastic Package Registry without detection. This could lead to the installation of malicious or altered software components, potentially compromising the integrity of your system or applications that rely on these packages.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart