Brute-force Protection Bypass in Wazuh Server API
CVE-2026-26206

6.5MEDIUM

Key Information:

Vendor: Wazuh
Status: Wazuh
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-26206?

Wazuh, an open-source platform for threat prevention, detection, and response, contains a vulnerability in its server API affecting versions 4.0.0 to 4.14.3. This vulnerability allows attackers to bypass brute-force protection mechanisms for the POST /security/user/authenticate endpoint. By sending multiple concurrent authentication requests, an attacker can exceed the predetermined maximum login attempts, resulting in an increased success rate for password guessing attacks. The issue has been rectified in version 4.14.4, emphasizing the importance of updating for maintaining robust security.

Affected Version(s)

wazuh >= 4.0.0, < 4.14.4

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-m...

x_refsource_CONFIRM

https://github.com/wazuh/wazuh/releases/tag/v4.14.4

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Feb 11, 2026

CVE-2026-26206 Data

JSON