CVE-2026-33434 in Wazuh
Summary
by MITRE • 07/17/2026
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() causes the /events endpoint rate check to unconditionally overwrite the general rate limit result. When the global max_request_per_minute is exceeded, requests to /events still succeed if the events-specific counter (hardcoded 30/min) has not been reached. This allows event injection into analysisd beyond the admin-configured global rate limit. This issue has been fixed in version 4.14.5.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability resides in Wazuh's CheckRateLimitsMiddleware.dispatch() logic within versions 4.6.0 through 4.14.4, creating a critical security flaw that undermines the platform's rate limiting mechanisms. This issue manifests specifically in the /events endpoint where the system fails to properly enforce global rate limits due to a fundamental design error in how rate limit checks are processed. The flaw operates by allowing requests to succeed even when the globally configured maximum requests per minute threshold has been exceeded, provided that the event-specific rate limit counter has not reached its hardcoded limit of 30 requests per minute.
The technical implementation of this vulnerability stems from a logic error that causes the system to unconditionally overwrite the general rate limit result with event-specific rate limit data. This behavior violates standard security principles for rate limiting enforcement and creates an exploitable condition where attackers can bypass configured global rate limits through targeted injection of events. The flaw essentially creates a scenario where the system maintains two separate rate limiting contexts without proper coordination between them, leading to inconsistent enforcement of security policies.
From an operational perspective, this vulnerability enables malicious actors to perform event injection attacks that exceed administrator-configured rate limits, potentially leading to resource exhaustion and denial of service conditions within the analysisd component. The ability to circumvent global rate limits undermines the platform's threat detection capabilities by allowing excessive event processing that could overwhelm system resources or mask legitimate security events through flooding techniques. This represents a significant deviation from expected behavior where rate limiting should act as a protective barrier against abuse and resource exhaustion.
The vulnerability directly maps to CWE-1027, which addresses "Improper Control of Generation of Code ('Code Injection')" and CWE-306, "Missing Authentication for Critical Function", though the primary concern here is the improper implementation of access control mechanisms. From an ATT&CK framework perspective, this vulnerability aligns with T1496, "Resource Hijacking, and T1566, 'Phishing', as it enables attackers to potentially overwhelm system resources or manipulate event processing for malicious purposes. The flaw creates a path for adversaries to bypass security controls that are fundamental to maintaining system integrity and operational resilience.
Organizations should immediately upgrade to Wazuh version 4.14.5 or later to remediate this vulnerability, as the fix addresses the core logic error in CheckRateLimitsMiddleware.dispatch() by properly enforcing global rate limits while maintaining event-specific rate limiting as intended. Administrators should also review their current rate limit configurations and monitor for unusual patterns of event processing that might indicate exploitation attempts. Additional mitigations include implementing network-level rate limiting controls and enhanced monitoring of /events endpoint access patterns to detect potential abuse of the vulnerability before it can be fully exploited in production environments.