Skip to content
Threat Feed
critical advisory

Wazuh Manager Vulnerability CVE-2026-56699 Allows NDJSON Injection

Wazuh Manager versions prior to 5.0.0-beta3 are critically vulnerable to an injection flaw, CVE-2026-56699 (CWE-74), enabling enrolled agents to inject arbitrary NDJSON operations into OpenSearch bulk requests, leading to data integrity compromise and defense evasion.

CVE-2026-56699 describes a critical vulnerability affecting Wazuh Manager versions before 5.0.0-beta3. This injection flaw (CWE-74) arises because the manager fails to properly escape the DataValue.index field when constructing OpenSearch bulk requests. A compromised or malicious enrolled agent can leverage this vulnerability to inject arbitrary NDJSON operations into these requests. As these requests are executed with the manager's administrative credentials, attackers can perform unauthorized actions such as deleting documents, tampering with security alerts, and manipulating the SIEM state across various agents. This leads to severe data integrity issues within the security monitoring system and facilitates defense evasion, posing a significant risk to organizations using affected Wazuh Manager versions.

Attack Chain

  1. An attacker gains control over an enrolled Wazuh agent within an environment.
  2. The compromised agent crafts a specially malformed DataValue.index field, embedding arbitrary NDJSON operations (e.g., delete, index, or update commands).
  3. The malicious DataValue.index field is sent from the compromised agent to the Wazuh Manager as part of its regular communication.
  4. The Wazuh Manager, vulnerable to CVE-2026-56699, processes this unescaped DataValue.index field received from the agent.
  5. The manager then constructs an OpenSearch bulk request, inadvertently including the attacker-controlled NDJSON operations due to the lack of proper escaping.
  6. This OpenSearch bulk request, now containing the malicious operations, is executed by the Wazuh Manager using its administrative credentials.
  7. The OpenSearch cluster processes the injected NDJSON operations, resulting in actions such as document deletion, alert tampering, and cross-agent SIEM state manipulation.

Impact

The successful exploitation of CVE-2026-56699 grants attackers the ability to compromise the integrity of security data managed by Wazuh Manager and its integrated OpenSearch cluster. Consequences include the permanent deletion of critical security logs and historical data, tampering with active security alerts to evade detection, and manipulating the overall SIEM state, potentially disabling or misdirecting security monitoring efforts across all managed agents. This can lead to significant blind spots for defenders, enabling further malicious activities to go unnoticed and hindering incident response capabilities. The vulnerability has a CVSS v3.1 base score of 10.0, indicating critical severity and potential for widespread and devastating impact.

Recommendation

  • Patch CVE-2026-56699 immediately by upgrading Wazuh Manager to version 5.0.0-beta3 or later.