CVE-2026-56699 PUBLISHED

Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index

Assigner: VulnCheck
Reserved: 22.06.2026 Published: 15.07.2026 Updated: 15.07.2026

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Product Status

Vendor wazuh
Product wazuh
Versions Default: unaffected
  • affected from 5.0.0-beta1 to 5.0.0-beta3 (excl.)
  • Version 5.0.0-beta3 is unaffected

Credits

  • TarPeg007 reporter
  • juliancnn finder

References

Problem Types

  • Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE