CVE-2026-25771
Published: 17 March 2026
Summary
CVE-2026-25771 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Wazuh Wazuh. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against DoS attacks by implementing rate limiting, traffic shaping, and other techniques to prevent resource exhaustion from flooding invalid Bearer token requests.
Requires timely identification, reporting, and patching of the specific flaw in the authentication middleware, as fixed in Wazuh version 4.14.3, eliminating the blocking disk I/O trigger.
Ensures protection of CPU and event loop resources from unauthorized denial caused by repeated blocking operations on invalid authentication requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables an unauthenticated remote attacker to trigger repeated blocking I/O operations via crafted Bearer token requests, directly facilitating application-layer resource exhaustion (CPU starvation of the event loop) to achieve DoS.
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service (DoS) vulnerability exists in the Wazuh API authentication middleware (`middlewares.py`). The application…
more
uses an asynchronous event loop (Starlette/Asyncio) to call a synchronous function (`generate_keypair`) that performs blocking disk I/O on every request containing a Bearer token. An unauthenticated remote attacker can exploit this by flooding the API with requests containing invalid Bearer tokens. This forces the single-threaded event loop to pause for file read operations repeatedly, starving the application of CPU resources and potentially preventing it from accepting or processing legitimate connections. Version 4.14.3 fixes the issue.
Deeper analysisAI
CVE-2026-25771 is a Denial of Service (DoS) vulnerability in the Wazuh API authentication middleware, located in middlewares.py. Wazuh, a free and open source platform for threat prevention, detection, and response, is affected in versions starting from 4.3.0 and prior to 4.14.3. The issue stems from the application's use of an asynchronous event loop (Starlette/Asyncio) that invokes a synchronous function, generate_keypair, which performs blocking disk I/O on every request containing a Bearer token. This design flaw leads to resource exhaustion under load.
An unauthenticated remote attacker can exploit this vulnerability by flooding the Wazuh API with requests containing invalid Bearer tokens. Each such request triggers the blocking disk I/O operation, causing the single-threaded event loop to pause repeatedly. This starves the application of CPU resources, potentially preventing it from accepting or processing legitimate connections and resulting in a DoS condition. The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and is associated with CWE-400 (Uncontrolled Resource Consumption).
The Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-33w3-p5hm-jw7g details the issue and confirms that version 4.14.3 addresses the vulnerability by fixing the blocking behavior in the authentication middleware. Security practitioners should upgrade to Wazuh 4.14.3 or later to mitigate the risk.
Details
- CWE(s)