Description
A vulnerability chain in Cribl Edge for Windows before 4.17.1 allows a local authenticated user to escalate privileges to NT AUTHORITY\SYSTEM. Incorrect default permissions on the Windows installer's authentication directory (CWE-276) expose a cryptographic secret used for JWT signing and password-hash derivation, enabling forgery of administrative API tokens. The forged token can then be used to invoke a pipeline function that reaches an OS command sink (CWE-78) running in the SYSTEM context.
Published: 2026-05-12
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cribl Edge for Windows versions before 4.17.1 contain a chain of vulnerabilities that enables a local authenticated user to gain SYSTEM privileges. The issue originates from incorrect default permissions on the Windows installer’s authentication directory, which expose a cryptographic secret used for JWT signing and password‑hash derivation. An attacker can forge administrative API tokens and then invoke a pipeline function that executes commands through an OS command sink. This results in a full privilege escalation to the SYSTEM account, allowing arbitrary command execution and complete host compromise.

Affected Systems

The affected product is Cribl Edge for Windows. All installations running any version earlier than 4.17.1 are potentially impacted because the insecure permissions and token forgery flaw exist only before that release. Upgrading to version 4.17.1 or later removes the vulnerability.

Risk and Exploitability

The CVSS score of 8.5 indicates a high‑severity flaw. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local authenticated user who can access the Edge service; by forging a token the attacker can trigger pipeline functions that reach an OS command sink, resulting in the execution of arbitrary commands with SYSTEM privileges.

Generated by OpenCVE AI on June 2, 2026 at 18:39 UTC.

Remediation

Vendor Solution

Upgrade Cribl Edge to v4.17.1 or higher. Upgrading fully resolves this vulnerability and no additional mitigation is required.

OpenCVE Recommended Actions

  • Upgrade Cribl Edge to version 4.17.1 or later, which removes the insecure directory permissions and token forgery flaw.
  • Verify that the installer’s authentication directory has restrictive permissions and that no world‑readable cryptographic secrets remain on the filesystem.
  • Limit the Edge service to trusted networks by applying firewall rules or network segmentation, and restrict local user access to only those whose privileges are strictly required.
  • Regularly monitor Cribl’s release notes and security advisories for additional updates or downstream patches.

Generated by OpenCVE AI on June 2, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Reserved. Details will be published at disclosure. A vulnerability chain in Cribl Edge for Windows before 4.17.1 allows a local authenticated user to escalate privileges to NT AUTHORITY\SYSTEM. Incorrect default permissions on the Windows installer's authentication directory (CWE-276) expose a cryptographic secret used for JWT signing and password-hash derivation, enabling forgery of administrative API tokens. The forged token can then be used to invoke a pipeline function that reaches an OS command sink (CWE-78) running in the SYSTEM context.
Title Local privilege escalation to SYSTEM in Cribl Edge for Windows
Weaknesses CWE-276
CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 15 May 2026 13:45:00 +0000

Type Values Removed Values Added
Title Cribl Edge Reserved Vulnerability Awaiting Disclosure

Fri, 15 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cribl
Cribl cribl
Vendors & Products Cribl
Cribl cribl

Tue, 12 May 2026 03:45:00 +0000

Type Values Removed Values Added
Title Cribl Edge Reserved Vulnerability Awaiting Disclosure

Tue, 12 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description Reserved. Details will be published at disclosure.
References

Subscriptions

Cribl Cribl
cve-icon MITRE

Status: PUBLISHED

Assigner: Cribl

Published:

Updated: 2026-06-02T15:55:07.304Z

Reserved: 2026-05-12T01:05:53.672Z

Link: CVE-2026-45393

cve-icon Vulnrichment

Updated: 2026-05-15T10:57:50.789Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T02:16:13.310

Modified: 2026-06-17T10:52:00.480

Link: CVE-2026-45393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:45:06Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-276

    Incorrect Default Permissions

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')