Description
Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf
Issue Tracking x_refsource_misc
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427
Patch x_refsource_misc
https://github.com/wazuh/wazuh-kibana-app/pull/5428
Scores
CVSS v3
8.8
EPSS
0.0014
EPSS Percentile
33.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (2)
wazuh/wazuh-dashboard
4.4.0 - 4.4.2
wazuh/wazuh-kibana-app
4.4.0 - 4.4.2
Published
Oct 09, 2023
Tracked Since
Feb 18, 2026