PatchSiren cyber security CVE debrief
CVE-2026-33434 wazuh CVE debrief
CVE-2026-33434 is a medium-severity vulnerability in Wazuh, a free and open-source platform for threat prevention, detection, and response. The issue allows for event injection into analysisd beyond the admin-configured global rate limit due to a logic error in CheckRateLimitsMiddleware.dispatch(). Affected product deployments should be reviewed for potential exposure, and rate limit configurations should be updated to prevent event injection attacks.
- Vendor
- wazuh
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Wazuh versions 4.6.0 and above, prior to 4.14.5, should apply the patch to prevent potential event injection attacks. Security teams and operators managing Wazuh deployments need to review and update rate limit configurations to ensure they are adequate for their environment. Vulnerability management and platform security teams should prioritize patching and compensating controls.
Technical summary
In Wazuh versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() causes the /events endpoint rate check to unconditionally overwrite the general rate limit result. When the global max_request_per_minute is exceeded, requests to /events still succeed if the events-specific counter (hardcoded 30/min) has not been reached. This allows event injection into analysisd beyond the admin-configured global rate limit. Defenders should review and update rate limit configurations.
Defensive priority
Apply the patch to prevent potential event injection attacks. Review and update rate limit configurations to ensure they are adequate for your environment. Prioritize patching and compensating controls for exposed systems.
Recommended defensive actions
- Apply the patch to Wazuh versions 4.6.0 and above, prior to 4.14.5
- Review and update rate limit configurations to ensure they are adequate for your environment
- Monitor /events endpoint usage for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T00:16:24.573Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that defenders verify the affected Wazuh versions 4.6.0 and above, prior to 4.14.5, and review rate limit configurations. Further verification tasks are needed to confirm the vulnerability's impact.
Official resources
-
CVE-2026-33434 CVE record
CVE.org
-
CVE-2026-33434 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T00:16:24.573Z and has not been modified since then.