{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15617", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-27T17:55:46.750Z", "datePublished": "2026-03-27T18:04:13.691Z", "dateUpdated": "2026-03-27T19:47:47.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-27T19:47:47.000Z"}, "title": "Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials", "descriptions": [{"lang": "en", "value": "Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags."}], "datePublic": "2025-06-16T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "type": "CWE"}]}], "affected": [{"vendor": "Wazuh", "product": "Wazuh (GitHub Actions)", "versions": [{"status": "affected", "version": "4.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L"}}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "jackhac", "type": "finder"}, {"lang": "en", "value": "nopcorn", "type": "reporter"}, {"lang": "en", "value": "nopcorn", "type": "finder"}, {"lang": "en", "value": "vikman90", "type": "coordinator"}], "x_generator": {"engine": "manual"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags."}], "id": "CVE-2025-15617", "lastModified": "2026-03-27T18:16:03.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-27T18:16:03.173", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:23:23.954088+00:00", "value": {"mitigation_remediation": ["Apply the latest Wazuh update that removes the secret from artifacts", "Modify the GitHub Actions workflow to exclude the GITHUB_TOKEN from stored artifacts or delete it before artifact creation", "Monitor the repository for unexpected commits or tag changes", "Revoke or rotate the exposed GITHUB_TOKEN immediately"], "summary": {"action": "Patch", "impact": "Token exposure permitting unauthorized commits and tag changes"}, "threat_synthesis": {"affected_systems": "Affected systems are Wazuh releases identifying as Wazuh:Wazuh (GitHub Actions) with the affected version listed as 4.12.0. No other version or product information was provided.", "description_and_impact": "The vulnerability in Wazuh version 4.12.0 exposes the GitHub Actions workflow artifact containing the GITHUB_TOKEN. This secret can be extracted by attackers who can access the artifact. During the limited validity period of the token, the attacker can inject malicious commits or override release tags.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. No EPSS score is available and the vulnerability is not in CISA's KEV catalog. The likely attack vector involves remote exploitation via access to workflow artifacts on GitHub; an attacker must obtain the artifact to retrieve the token. The impact is higher when the token has write privileges, allowing unauthorized pushes or tag modifications within the token's short\u2011lived window."}}}}, "created": "2026-03-27T20:27:53.324024+00:00", "updated": "2026-03-27T20:27:53.324059+00:00", "vendors": []}