{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15617", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-27T17:55:46.750Z", "datePublished": "2026-03-27T18:04:13.691Z", "dateUpdated": "2026-03-31T14:34:15.734Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-27T19:47:47.000Z"}, "title": "Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials", "descriptions": [{"lang": "en", "value": "Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags."}], "datePublic": "2025-06-16T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "type": "CWE"}]}], "affected": [{"vendor": "Wazuh", "product": "Wazuh (GitHub Actions)", "versions": [{"status": "affected", "version": "4.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L"}}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "jackhac", "type": "finder"}, {"lang": "en", "value": "nopcorn", "type": "reporter"}, {"lang": "en", "value": "nopcorn", "type": "finder"}, {"lang": "en", "value": "vikman90", "type": "coordinator"}], "x_generator": {"engine": "manual"}}, "adp": [{"references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:34:12.540639Z", "id": "CVE-2025-15617", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:34:15.734Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15617", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:34:12.540639Z"}}}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:34:06.116Z"}}], "cna": {"title": "Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials", "credits": [{"lang": "en", "type": "finder", "value": "jackhac"}, {"lang": "en", "type": "reporter", "value": "nopcorn"}, {"lang": "en", "type": "finder", "value": "nopcorn"}, {"lang": "en", "type": "coordinator", "value": "vikman90"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Wazuh", "product": "Wazuh (GitHub Actions)", "versions": [{"status": "affected", "version": "4.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-06-16T00:00:00.000Z", "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "manual"}, "descriptions": [{"lang": "en", "value": "Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-27T19:47:47.000Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15617", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:34:15.734Z", "dateReserved": "2026-03-27T17:55:46.750Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-27T18:04:13.691Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:4.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "AA15FF28-EA42-4934-9661-0C9312D1CB96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags."}], "id": "CVE-2025-15617", "lastModified": "2026-03-31T17:58:15.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-27T18:16:03.173", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.12.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Wazuh (GitHub Actions)", "source": "cna", "vendor": "Wazuh"}, "product": "wazuh", "vendor": "wazuh"}], "analysis": {"en": {"generated_at": "2026-03-31T19:43:04.932916+00:00", "value": {"mitigation_remediation": ["Update Wazuh to the latest patched version that removes the exposed token from workflow artifacts", "Configure GitHub Actions to prevent sensitive tokens from being included in uploaded artifacts", "Review existing artifacts for any exposed credentials and delete them", "Restrict artifact visibility to only trusted users or teams"], "summary": {"action": "Patch Immediately", "impact": "Sensitive GitHub token exposure enabling unauthorized actions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Wazuh product, specifically the GitHub Actions workflows integrated with Wazuh 4.12.0. Users deploying this version are at risk if they publish workflow artifacts that include the GITHUB_TOKEN.", "description_and_impact": "Wazuh version 4.12.0 contains a flaw in the GitHub Actions workflow artifacts that allows the GITHUB_TOKEN to be extracted from uploaded artifacts. The exposed token can be used during its limited validity window to perform unauthorized operations such as pushing malicious commits or modifying release tags. The weakness is a credential exposure flaw (CWE-522).", "risk_and_exploitability": "The CVSS score of 6.3 indicates a moderate to high severity, but the EPSS score of less than 1% suggests current exploitation likelihood is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary accessing publicly available workflow artifacts, from which the token can be extracted. Once obtained, the token can be used to authorize GitHub API actions until it expires."}}}}, "created": "2026-03-27T20:27:53.324024+00:00", "updated": "2026-03-31T20:00:55.264432+00:00", "vendors": ["wazuh", "wazuh$PRODUCT$wazuh"]}