{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wazuh-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-56699"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wazuh Manager"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","injection","SIEM","Wazuh"],"_cs_type":"advisory","_cs_vendors":["Wazuh"],"content_html":"\u003cp\u003eCVE-2026-56699 describes a critical vulnerability affecting Wazuh Manager versions before 5.0.0-beta3. This injection flaw (CWE-74) arises because the manager fails to properly escape the \u003ccode\u003eDataValue.index\u003c/code\u003e field when constructing OpenSearch bulk requests. A compromised or malicious enrolled agent can leverage this vulnerability to inject arbitrary NDJSON operations into these requests. As these requests are executed with the manager's administrative credentials, attackers can perform unauthorized actions such as deleting documents, tampering with security alerts, and manipulating the SIEM state across various agents. This leads to severe data integrity issues within the security monitoring system and facilitates defense evasion, posing a significant risk to organizations using affected Wazuh Manager versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over an enrolled Wazuh agent within an environment.\u003c/li\u003e\n\u003cli\u003eThe compromised agent crafts a specially malformed \u003ccode\u003eDataValue.index\u003c/code\u003e field, embedding arbitrary NDJSON operations (e.g., delete, index, or update commands).\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eDataValue.index\u003c/code\u003e field is sent from the compromised agent to the Wazuh Manager as part of its regular communication.\u003c/li\u003e\n\u003cli\u003eThe Wazuh Manager, vulnerable to CVE-2026-56699, processes this unescaped \u003ccode\u003eDataValue.index\u003c/code\u003e field received from the agent.\u003c/li\u003e\n\u003cli\u003eThe manager then constructs an OpenSearch bulk request, inadvertently including the attacker-controlled NDJSON operations due to the lack of proper escaping.\u003c/li\u003e\n\u003cli\u003eThis OpenSearch bulk request, now containing the malicious operations, is executed by the Wazuh Manager using its administrative credentials.\u003c/li\u003e\n\u003cli\u003eThe OpenSearch cluster processes the injected NDJSON operations, resulting in actions such as document deletion, alert tampering, and cross-agent SIEM state manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-56699 grants attackers the ability to compromise the integrity of security data managed by Wazuh Manager and its integrated OpenSearch cluster. Consequences include the permanent deletion of critical security logs and historical data, tampering with active security alerts to evade detection, and manipulating the overall SIEM state, potentially disabling or misdirecting security monitoring efforts across all managed agents. This can lead to significant blind spots for defenders, enabling further malicious activities to go unnoticed and hindering incident response capabilities. The vulnerability has a CVSS v3.1 base score of 10.0, indicating critical severity and potential for widespread and devastating impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56699 immediately by upgrading Wazuh Manager to version 5.0.0-beta3 or later.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:19:46Z","date_published":"2026-07-15T12:19:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56699-wazuh-injection/","summary":"Wazuh Manager versions prior to 5.0.0-beta3 are critically vulnerable to an injection flaw, CVE-2026-56699 (CWE-74), enabling enrolled agents to inject arbitrary NDJSON operations into OpenSearch bulk requests, leading to data integrity compromise and defense evasion.","title":"Wazuh Manager Vulnerability CVE-2026-56699 Allows NDJSON Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56699-wazuh-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Wazuh Manager","version":"https://jsonfeed.org/version/1.1"}