Description
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive GitHub token exposure enabling unauthorized actions
Action: Patch Immediately
AI Analysis

Impact

Wazuh version 4.12.0 contains a flaw in the GitHub Actions workflow artifacts that allows the GITHUB_TOKEN to be extracted from uploaded artifacts. The exposed token can be used during its limited validity window to perform unauthorized operations such as pushing malicious commits or modifying release tags. The weakness is a credential exposure flaw (CWE-522).

Affected Systems

The vulnerability affects the Wazuh product, specifically the GitHub Actions workflows integrated with Wazuh 4.12.0. Users deploying this version are at risk if they publish workflow artifacts that include the GITHUB_TOKEN.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate to high severity, but the EPSS score of less than 1% suggests current exploitation likelihood is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary accessing publicly available workflow artifacts, from which the token can be extracted. Once obtained, the token can be used to authorize GitHub API actions until it expires.

Generated by OpenCVE AI on March 31, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wazuh to the latest patched version that removes the exposed token from workflow artifacts
  • Configure GitHub Actions to prevent sensitive tokens from being included in uploaded artifacts
  • Review existing artifacts for any exposed credentials and delete them
  • Restrict artifact visibility to only trusted users or teams

Generated by OpenCVE AI on March 31, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:4.12.0:*:*:*:*:*:*:*

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Title Exposure of the GITHUB_TOKEN in wazuh workflow run artifact Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags.
Title Exposure of the GITHUB_TOKEN in wazuh workflow run artifact
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T14:34:15.734Z

Reserved: 2026-03-27T17:55:46.750Z

Link: CVE-2025-15617

cve-icon Vulnrichment

Updated: 2026-03-31T14:34:06.116Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T18:16:03.173

Modified: 2026-03-31T17:58:15.933

Link: CVE-2025-15617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:55Z

Weaknesses