CVE-2026-26206

CVSS v3.1

6.5

Medium

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.0.0 through 4.14.3

Description Wazuh server API brute-force protection for the 'POST /security/user/authenticate' endpoint can be bypassed by sending concurrent authentication requests. While the max login attempts threshold is correctly enforced for sequential requests, a parallel burst allows more failed login attempts to be processed before an IP block is applied, enabling more password guesses than the configured policy intends.

Recommendations Update to version 4.14.4.

Exploit

Fix

Time Of Check To Time Of Use

Improper Restriction of Excessive Authentication Attempts

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367CWE-307CWE-362

Related Identifiers

CVE-2026-26206

Affected Products

Wazuh

CVE-2026-26206

Weakness Enumeration

Related Identifiers

Affected Products

References · 4