Description
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
Published: 2026-04-28
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from an improper verification of cryptographic signatures (CWE‑347) in Elastic Package Registry, allowing an attacker positioned to intercept network traffic or influence the contents served to a self‑hosted registry to substitute a tampered package silently. The integrity check would not detect the substitute, potentially enabling the attacker to deliver malicious code to consumers that rely on the registry. This flaw could lead to unauthorized code execution on systems that pull and execute packages without additional validation.

Affected Systems

The affected product is Elastic Package Registry from Elastic. No specific version information is provided in the available data, so any installation of Elastic Package Registry that predates the referenced security update may be vulnerable.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate potential impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker with the ability to intercept traffic or otherwise manipulate the registry contents; once a tampered package is deployed, the attacker could execute arbitrary code on downstream hosts. No confirmed exploits are currently known, but the impact warrants timely remediation.

Generated by OpenCVE AI on April 29, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Elastic Package Registry to the latest patched version as announced by Elastic.
  • Configure the registry to enforce strict TLS and restrict network access to trusted hosts only, preventing tampering by network attackers.
  • Verify that all packages in the registry are signed and validate signatures in your build pipeline to detect any integrity issues.

Generated by OpenCVE AI on April 29, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic elastic Package Registry
Vendors & Products Elastic
Elastic elastic Package Registry

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
Title Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Elastic Elastic Package Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-29T15:10:02.861Z

Reserved: 2026-03-20T10:53:23.100Z

Link: CVE-2026-33467

cve-icon Vulnrichment

Updated: 2026-04-29T14:54:58.168Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T22:16:48.823

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-33467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:18Z

Weaknesses