Elastic Package Registry Improper Signature Verification (CWE-347): CVE-2026-33467 April 2026

Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.

Vulnerability Analysis

CVE-2026-33467 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.

Elastic Package Registry Improper Signature Verification (CWE-347)
CVE-2026-33467 Published on April 28, 2026

Vulnerability Analysis

Weakness Type

Improper Verification of Cryptographic Signature

Affected Versions

Elastic Package Registry Improper Signature Verification (CWE-347)CVE-2026-33467 Published on April 28, 2026

Vulnerability Analysis

Weakness Type

Improper Verification of Cryptographic Signature

Affected Versions

Elastic Package Registry Improper Signature Verification (CWE-347)
CVE-2026-33467 Published on April 28, 2026