CVE-2026-25771 - Vulnerability Details

- Wazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authentication Middleware

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service (DoS) vulnerability exists in the Wazuh API authentication middleware (`middlewares.py`). The application uses an asynchronous event loop (Starlette/Asyncio) to call a synchronous function (`generate_keypair`) that performs blocking disk I/O on every request containing a Bearer token. An unauthenticated remote attacker can exploit this by flooding the API with requests containing invalid Bearer tokens. This forces the single-threaded event loop to pause for file read operations repeatedly, starving the application of CPU resources and potentially preventing it from accepting or processing legitimate connections. Version 4.14.3 fixes the issue.

Published: 2026-03-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is caused by calling a synchronous disk I/O function (`generate_keypair`) inside an asynchronous event loop, which blocks the single‑threaded Starlette/Asyncio loop on every bearer‑token request. An attacker can flood the API with requests that include invalid bearer tokens, causing repeated blocking and starvations of CPU resources. The result is a denial of service that prevents legitimate connections from being handled. This weakness is classified as CWE‑400: Uncontrolled Resource Consumption.

Affected Systems

Affects the Wazuh platform (vendor: wazuh:wazuh). Versions starting at 4.3.0 up through 4.14.2 are vulnerable; the issue is fixed in 4.14.3 and later.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score of less than 1 %, the vulnerability is unlikely to be widely exploited yet. It is not listed in the CISA KEV catalog. The attack vector is remote, unauthenticated, and relies on flooding the API with malformed bearer tokens to block the event loop.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wazuh

affected

Version	Status	Constraints
`>= 4.3.0, < 4.14.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wazuh

100%

Version	Status	Scheme	Platform
`[4.3.0,4.14.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Wazuh to version 4.14.3 or later to apply the vendor patch.
If an immediate upgrade is not feasible, inspect the application logs for excessive authentication requests and consider implementing request rate limiting or firewall rules to mitigate flood attempts.

Generated by OpenCVE AI on March 19, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00249.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/wazuh/wazuh/security/advisories/GHSA-33w3-p5hm-jw7g

History

Thu, 19 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wazuh:wazuh::::::::

Wed, 18 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wazuh Wazuh wazuh
Vendors & Products		Wazuh Wazuh wazuh

Tue, 17 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service (DoS) vulnerability exists in the Wazuh API authentication middleware (`middlewares.py`). The application uses an asynchronous event loop (Starlette/Asyncio) to call a synchronous function (`generate_keypair`) that performs blocking disk I/O on every request containing a Bearer token. An unauthenticated remote attacker can exploit this by flooding the API with requests containing invalid Bearer tokens. This forces the single-threaded event loop to pause for file read operations repeatedly, starving the application of CPU resources and potentially preventing it from accepting or processing legitimate connections. Version 4.14.3 fixes the issue.
Title		Wazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authentication Middleware
Weaknesses		CWE-400
References		https://github.com/wazuh/wazuh/security/advisories/GHSA-33w3-p5hm-jw7g
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Wazuh Wazuh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-17T18:08:53.091Z

Updated: 2026-03-18T13:37:20.251Z

Reserved: 2026-02-05T18:35:52.359Z

Link: CVE-2026-25771

Vulnrichment

Updated: 2026-03-18T13:37:10.549Z

NVD

Status : Analyzed

Published: 2026-03-17T19:16:01.083

Modified: 2026-03-19T14:58:04.800

Link: CVE-2026-25771

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:48:56Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object