InfoSecBulletin Cybersecurity for mankind
A critical security flaw has affected the open-source security community. Recently, complete details and working exploit code were shared online. This critical Wazuh flaw lets verified endpoints change central log systems directly. So, any company testing this new platform must take urgent action. If not, they risk major damage to their systems.
The Mechanics of the Injection Flaw
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited
BD Gov.t to set up Tk192.66cr AI hub with support from Koica
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication
Anthropic disables Fable 5 and Mythos 5 Access after US order limiting foreign access
Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty
Chrome 149 fixes 28 flaws, including critical UAF bugs
Dahua patches multiple critical vulnerabilities in its products
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
The main reason for this serious flaw is a problem in the platform’s asset data flow. The technical report states that ‘The Wazuh 5.0 inventory flow sends a flatbuffer field (DataValue.index) from the agent right into an OpenSearch_bulk NDJSON request without escaping it.’ Because this is not escaped, a bad actor can easily add harmful characters into that field. As a result, untrustworthy endpoints can sneak unauthorized OpenSearch bulk actions into backend database requests. These actions operate using the manager’s high-level admin rights.
Severe Impact and Exploitation Risks
Exploiting this Wazuh CVSS 10 flaw can have serious effects on businesses. An attacker can run hidden commands and get harmful database access. For instance, they can delete any document across various data areas. This can change alerts and clean up after an attack. Also, bad actors can add lasting harmful code to saved dashboard items. So, they can easily wipe out important evidence. This makes it hard for security experts to respond during a network attack.
Keystore Credential Exposure
The platform also sends requests using credentials saved in its local keystore. By default, these roles are linked to admin accounts with full access. As a result, the hidden actions run with the highest database power.
Available Patches and Remediation
This flaw affects wazuh-manager installations from version 5.0.0-beta1. The older 4.x versions are not affected at all. This is because the sync path does not exist in those versions.
Luckily, the development team has released fixes in version 5.0.0-beta3. This version ensures proper character escaping. Network admins should quickly check the new technical details and code. This information can be found in the official Wazuh security notice on GitHub. Upgrading vulnerable managers is important to stop unauthorized OpenSearch bulk actions.
