Wazuh: API brute-force protection bypass via race condition in login...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.

Basic Information

ID CVE-2026-26206

Source GitHub_M

Published Apr 29, 2026 at 17:49

Modified Apr 29, 2026 at 18:51

Affected Product

Vendor wazuh

Product wazuh

Version >= 4.0.0, < 4.14.4

Affected Versions wazuh wazuh >= 4.0.0, < 4.14.4

CWE Classification

CWE-307 CWE-362 CWE-367

References

{
    "lastseen": "",
    "description": "Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.",
    "published": "2026-04-29T17:49:15.365Z",
    "modified": "2026-04-29T18:51:59.594Z",
    "type": "cve",
    "title": "Wazuh: API brute-force protection bypass via race condition in login attempt tracking",
    "source": "GitHub_M",
    "references": "https://github.com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhhv-jx58\nhttps://github.com/wazuh/wazuh/releases/tag/v4.14.4",
    "id": "CVE-2026-26206",
    "bulletinFamily": "",
    "cwe": [
        "CWE-307",
        "CWE-362",
        "CWE-367"
    ],
    "cvelist": null,
    "sourceData": "wazuh wazuh >= 4.0.0, < 4.14.4",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wazuh",
    "version": ">= 4.0.0, < 4.14.4",
    "vendor": "wazuh",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Wazuh: API brute-force protection bypass via race condition in login attempt tracking_CVE-2026-26206