{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33467", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-03-20T10:53:23.100Z", "datePublished": "2026-04-28T21:15:24.551Z", "dateUpdated": "2026-04-28T21:15:24.551Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Elastic Package Registry", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "1.37.0", "status": "affected", "version": "0.1.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.</p>"}], "value": "Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Adversary in the Middle (AiTM)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-28T21:15:24.551Z"}, "references": [{"url": "https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081"}], "source": {"discovery": "Elastic"}, "title": "Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed."}], "id": "CVE-2026-33467", "lastModified": "2026-04-28T22:16:48.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@elastic.co", "type": "Secondary"}]}, "published": "2026-04-28T22:16:48.823", "references": [{"source": "security@elastic.co", "url": "https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T01:14:21.969158+00:00", "value": {"mitigation_remediation": ["Update the Elastic Package Registry to the latest patched version as announced by Elastic.", "Configure the registry to enforce strict TLS and restrict network access to trusted hosts only, preventing tampering by network attackers.", "Verify that all packages in the registry are signed and validate signatures in your build pipeline to detect any integrity issues."], "summary": {"action": "Apply Patch", "impact": "Package tampering via signature bypass potentially leads to unauthorized code execution"}, "threat_synthesis": {"affected_systems": "The affected product is Elastic Package Registry from Elastic. No specific version information is provided in the available data, so any installation of Elastic Package Registry that predates the referenced security update may be vulnerable.", "description_and_impact": "This vulnerability arises from an improper verification of cryptographic signatures (CWE\u2011347) in Elastic Package Registry, allowing an attacker positioned to intercept network traffic or influence the contents served to a self\u2011hosted registry to substitute a tampered package silently. The integrity check would not detect the substitute, potentially enabling the attacker to deliver malicious code to consumers that rely on the registry. This flaw could lead to unauthorized code execution on systems that pull and execute packages without additional validation.", "risk_and_exploitability": "The CVSS score is 5.9, indicating a moderate potential impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker with the ability to intercept traffic or otherwise manipulate the registry contents; once a tampered package is deployed, the attacker could execute arbitrary code on downstream hosts. No confirmed exploits are currently known, but the impact warrants timely remediation."}}}}, "created": "2026-04-29T01:15:44.716344+00:00", "updated": "2026-04-29T01:15:44.716355+00:00", "vendors": []}