CVE-2026-33434
Received Received - Intake

Wazuh Rate Limit Bypass in Events Endpoint

Vulnerability report for CVE-2026-33434, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() causes the /events endpoint rate check to unconditionally overwrite the general rate limit result. When the global max_request_per_minute is exceeded, requests to /events still succeed if the events-specific counter (hardcoded 30/min) has not been reached. This allows event injection into analysisd beyond the admin-configured global rate limit. This issue has been fixed in version 4.14.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wazuh wazuh From 4.6.0 (inc) to 4.14.5 (exc)
wazuh wazuh 4.14.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-33434 is a rate limit bypass vulnerability in Wazuh versions 4.6.0 to 4.14.4. It occurs in the /events endpoint due to a logic error in CheckRateLimitsMiddleware.dispatch(). When the global rate limit is exceeded, requests to /events can still succeed if the events-specific counter (30/min) has not been reached. This allows attackers to bypass the intended global rate limit and inject events into the analysis system.

Detection Guidance

To detect this vulnerability, monitor the Wazuh Manager REST API logs for excessive requests to the /events endpoint. Check if the global rate limit (max_request_per_minute) is bypassed while the events-specific counter (30/min) remains under the limit. Use tools like curl to test rate limits: curl -X POST http://<wazuh-manager-ip>:55000/events -H 'Content-Type: application/json' -d '{"data":"test"}' and observe if requests succeed after the global limit is exceeded.

Impact Analysis

This vulnerability allows attackers to bypass rate limits and send more events to the Wazuh Manager than intended. This could lead to system overload, denial of service, or unauthorized event injection. The impact is limited to availability as it does not affect confidentiality or integrity.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized event injection into the analysis system due to a rate limit bypass. If exploited, it may lead to excessive data processing or unauthorized access, violating principles of data protection and security required by these regulations.

Mitigation Strategies

Upgrade Wazuh Manager to version 4.14.5 or later to fix the logic error in CheckRateLimitsMiddleware.dispatch(). If immediate upgrade is not possible, temporarily reduce the events-specific rate limit (30/min) to match the global limit or disable the /events endpoint until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart