CVE-2026-56699
Received Received - Intake

Wazuh Manager OpenSearch Bulk Request Injection Flaw

Vulnerability report for CVE-2026-56699, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wazuh wazuh_manager From 5.0.0-beta1 (inc) to 5.0.0-beta2 (inc)
wazuh wazuh_manager to 5.0.0-beta3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56699 is a critical vulnerability in Wazuh Manager versions 5.0.0-beta1 and later. It allows enrolled agents to inject arbitrary OpenSearch _bulk operations via the DataValue.index field. The inventory_sync subsystem forwards this field unmodified into an OpenSearch _bulk NDJSON request without proper escaping or validation.

Impact Analysis

Attackers can smuggle malicious operations like document deletions, alert tampering, or SIEM state manipulation into bulk requests executed under the manager's admin credentials. This could lead to data loss, unauthorized modifications, or compromised security monitoring.

Compliance Impact

This vulnerability could severely impact compliance by enabling unauthorized data deletion or tampering, violating integrity and confidentiality requirements in GDPR and HIPAA. It risks exposing sensitive data or failing audit trails due to potential alert or document manipulation.

Detection Guidance

To detect this vulnerability, monitor OpenSearch bulk requests for suspicious NDJSON operations originating from Wazuh Manager inventory_sync. Check for unescaped or malformed DataValue.index fields in logs. Use network traffic analysis tools like tcpdump or Wireshark to inspect TCP/1514 traffic for bulk request anomalies.

Mitigation Strategies

Upgrade Wazuh Manager to version 5.0.0-beta3 or later immediately. If upgrading is not possible, restrict network access to TCP/1514 and downscope the OpenSearch keystore role to a narrower wazuh-server role. Monitor for unauthorized bulk operations in OpenSearch logs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart