Improper Cryptographic Signature Verification in Elastic Package Registry by Elastic
CVE-2026-33467

5.9MEDIUM

Key Information:

Vendor: Elastic
Status: Elastic Package Registry
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-33467?

An improper verification of cryptographic signature vulnerability within the Elastic Package Registry can expose systems to significant risks. This issue allows malicious entities with the ability to intercept network traffic or otherwise manipulate the data served to a self-hosted registry to inject altered packages. The lack of a robust integrity check means that tampering could go undetected, potentially leading to compromised software packages being deployed in production environments.

Affected Version(s)

Elastic Package Registry 0.1.0 <= 1.37.0

References

https://discuss.elastic.co/t/elastic-package-registry-1-3...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33467 Data

JSON