PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33434 wazuh CVE debrief

CVE-2026-33434 is a medium-severity vulnerability in Wazuh, a free and open-source platform for threat prevention, detection, and response. The issue allows for event injection into analysisd beyond the admin-configured global rate limit due to a logic error in CheckRateLimitsMiddleware.dispatch(). Affected product deployments should be reviewed for potential exposure, and rate limit configurations should be updated to prevent event injection attacks.

Vendor
wazuh
Product
Unknown
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Wazuh versions 4.6.0 and above, prior to 4.14.5, should apply the patch to prevent potential event injection attacks. Security teams and operators managing Wazuh deployments need to review and update rate limit configurations to ensure they are adequate for their environment. Vulnerability management and platform security teams should prioritize patching and compensating controls.

Technical summary

In Wazuh versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() causes the /events endpoint rate check to unconditionally overwrite the general rate limit result. When the global max_request_per_minute is exceeded, requests to /events still succeed if the events-specific counter (hardcoded 30/min) has not been reached. This allows event injection into analysisd beyond the admin-configured global rate limit. Defenders should review and update rate limit configurations.

Defensive priority

Apply the patch to prevent potential event injection attacks. Review and update rate limit configurations to ensure they are adequate for your environment. Prioritize patching and compensating controls for exposed systems.

Recommended defensive actions

  • Apply the patch to Wazuh versions 4.6.0 and above, prior to 4.14.5
  • Review and update rate limit configurations to ensure they are adequate for your environment
  • Monitor /events endpoint usage for suspicious activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T00:16:24.573Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that defenders verify the affected Wazuh versions 4.6.0 and above, prior to 4.14.5, and review rate limit configurations. Further verification tasks are needed to confirm the vulnerability's impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T00:16:24.573Z and has not been modified since then.