Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
Affected Versions:
- All versions of the Elastic Package Registry up to and including 1.37.0.
Affected Configurations:
- Self-hosted deployments that sync packages from an upstream source (via the distribution tool or proxy mode).
Exploitation requires an attacker positioned to intercept or modify network traffic between the self-hosted Elastic Package Registry and its upstream source.
Not affected Configurations:
- Elastic's public package registry at
https://epr.elastic.coand deployments that pull packages directly from it.
Solutions and Mitigations:
The issue is resolved in Elastic Package Registry version 1.38.0.
Severity: CVSSv3.1: Medium ( 5.9 ) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE ID: CVE-2026-33467
Problem Type: CWE-347 - Improper Verification of Cryptographic Signature