Primary

Context

Elastic Package Registry Improper Cryptographic Signature Verification Vulnerability Allowing Package Integrity Bypass

Vulnerability

A vulnerability exists in Elastic Package Registry versions prior to 1.38.0, specifically in self-hosted deployments that sync packages from an upstream source. This vulnerability stems from improper verification of cryptographic signatures, which could enable an attacker to intercept network traffic or influence the contents served to the registry. As a result, a tampered package could be substituted without triggering a failure in the integrity check.

Impact

Exploitation of this vulnerability could lead to the substitution of tampered packages in the registry, bypassing integrity checks and potentially allowing malicious packages to be introduced into the system.

Remediation

Users can upgrade to Elastic Package Registry version 1.38.0 to address this vulnerability.

Added: Apr 28, 2026, 10:35 PM

Updated: Apr 28, 2026, 10:35 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Elastic Package Registry Improper Cryptographic Signature Verification Vulnerability Allowing Package Integrity Bypass

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating