CVE-2026-33467 PUBLISHED

Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass

Assigner: elastic
Reserved: 20.03.2026 Published: 28.04.2026 Updated: 28.04.2026

Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Elastic
Product	Elastic Package Registry
Versions	Default: unaffected affected from 0.1.0 to 1.37.0 (incl.)

References

https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081

Problem Types

CWE-347 Improper Verification of Cryptographic Signature CWE

Impacts

CAPEC-94 Adversary in the Middle (AiTM)