Home

Description

A vulnerability chain in Cribl Edge for Windows before 4.17.1 allows a local authenticated user to escalate privileges to NT AUTHORITY\SYSTEM. Incorrect default permissions on the Windows installer's authentication directory (CWE-276) expose a cryptographic secret used for JWT signing and password-hash derivation, enabling forgery of administrative API tokens. The forged token can then be used to invoke a pipeline function that reaches an OS command sink (CWE-78) running in the SYSTEM context.

PUBLISHED Reserved 2026-05-12 | Published 2026-05-12 | Updated 2026-06-02 | Assigner Cribl




HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-276 Incorrect Default Permissions

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 4.17.1
affected

Credits

Abdulaziz M. Almetairy, Saudi Aramco finder

References

docs.cribl.io/edge/release-notes/release-v4171 (Cribl Edge 4.17.1 Security Fixes) release-notes

trust.cribl.io/notifications (Cribl Trust Portal) vendor-advisory

cve.org (CVE-2026-45393)

nvd.nist.gov (CVE-2026-45393)

Download JSON