Manager

Changed

• Masked authd.pass in configuration API responses for users without update permissions. (#34128)

Fixed

• Fixed analysisd plugin decoder argument alignment. (#35222)
• Fixed path traversal in authd via agent group name validation. (#35258)
• Hardened cluster deserialization by restricting callable decoding to Wazuh modules and improving error handling. (#35256)
• Fixed DAPI callable resolution to restrict invocations to exposed resources only. (#35256)
• Fixed admin protection in update user endpoint. (#35469)
• Fixed protected settings checks when multiple <ossec_config> blocks are present. (#34690)
• Restricted cluster file transfer write paths. (#34659)
• Improved cluster file synchronization path handling by adding safe path joins. (#35008)
• Fixed Vulnerability Detector offset DB update to occur only after processing (backport from 4.12.0). (#31901)

Agent

Added

• Added detection of the -a never,task Audit rule in FIM whodata for Linux. (#34661)

Changed

• Changed sync primitive disposal to stop and soften teardown failures. (#34680)

Fixed

• Fixed Windows FIM Registry scan crash on non-null-terminated values. (#34679)

Other

Changed

• Updated curl dependency to 8.12.1. (#34687)
• Updated starlette dependency to 0.49.1. (#33383)
• Upgraded Python embedded interpreter to 3.10.19. (#32790)

Manager

Fixed

• Fixed DAPI callable resolution to restrict invocations to exposed resources only. (#34889)
• Fixed uncontrolled memory allocation in cluster caused by crafted packet length. (#35173) (#35412)
• Fixed rate limit bypass for the /events endpoint. (#35077)
• Fixed buffer overflow in analysisd regex match processing. (#35106)
• Fixed path traversal in authd via agent group name validation. (#35230)
• Fixed size_t underflow in remoted ReadSecMSG causing potential heap overflow. (#35193)
• Fixed RBAC bypass in DAPI allowing privilege escalation. (#35307)
• Fixed analysisd plugin decoder argument alignment. (#35176)

Agent

Fixed

• Fixed rootcheck false positive for /dev/.blkid.tab. (#34734)
• Fixed ORDER_REVERSAL deadlocks in FIM. (#34735)
• Fixed Roundcube decoder regex to prevent srcip truncation in "Failed login ... in session" logs. (#34793)
• Fixed macOS Ventura SCA policy incorrectly passing pmset checks. (#34693)
• Fixed Office365 integration pagination by trimming HTTP header values. (#34673)
• Fixed FIM false positives caused by double readdir check. (#34880)
• Fixed audit log cache overflow for events with many records in logcollector. (#35285)
• Fixed daily marker for GuardDuty log collector. (#35110)
• Fixed rootcheck not generating findings. (#35297)
• Fixed heap buffer overflow in syscheck Registry Wildcard Expansion. (#35287)

Changed

• Changed RHEL init script with SUSE variant on SLES 11. (#34563)
• Changed service check from WMI to sc.exe. (#34543)
• Changed windows syscollector to include command arguments. (#34727)

RESTful API

Fixed

• Fixed allow_higher_versions validation in API upload_configuration. (#34905)
• Fixed nested JSON depth limit in API request processing. (#35224)
• Fixed upload size limit config mismatch. (#35141)

Ruleset

Fixed

• Fixed bug in CIS SCA checks 35675 and 35689 for Ubuntu 24.04. (#35088)
• Fixed Dovecot decoders to correctly extract rip and lip fields. (#35089)

Other

Changed

• Updated dependencies cryptography to 46.0.5, Werkzeug to 3.1.6, pip to 26.0.1 and wheel to 0.46.3. (#34907)
• Updated embedded Python to 3.10.20 and dependencies pyjwt, pyasn1. (#35135)
• Updated dependencies cryptography, requests. (#35331)

Manager

Added

• Added cluster-by-default deployment model: all Wazuh Server installations now run as a cluster node, removing the distinction between clustered and non-clustered deployments. The cluster.disabled configuration option has been removed. (#31295)
• Added stateless metadata enrichment in remoted, centralizing event metadata handling for stateless messages and removing the dependency on wazuh-db for that ingestion path. (#33269)
• Added Engine enrichment support: IOC matching, GeoIP lookup, and event filters. (#33493)
• Added Engine adaptation tier 2: raw archives handling, uncategorized event routing, input-level throttling, and internal metrics exposure. (#34477)
• Added Wazuh Instance Registration status to reflect CTI access_token availability (Pending, Polling, Denied, Available), allowing the Dashboard to query the subscription state. (#31906)

Changed

• Upgraded embedded Python interpreter from 3.10 to 3.12. (#33377) (#33570)
• Adapted Vulnerability Detector input pipeline to the new Wazuh 5.0 synchronization algorithm, covering first-scan, inventory-change, and feed-update scenarios. (#30535)
• Revamped Role-Based Access Control (RBAC) management and introduced an upgrade mechanism for existing RBAC configurations. (#27706)
• Removed legacy configuration surfaces, database schemas, build targets, and compatibility layers in the second server cleanup phase. (#34608)

Removed

• Removed Filebeat as the log-shipping component; event forwarding now uses native Wazuh server connectivity to the Wazuh Indexer via indexer-connector. (#33124)
• Removed deprecated manager daemons: ossec-authd, wazuh-agentlessd, wazuh-maild, wazuh-dbd. (#30922)
• Removed deprecated C CLI tools: manage_agents, agent-auth. (#30924)
• Removed OpenSCAP server-side module. (#31028)
• Removed inventory-related API endpoints. (#31299)
• Removed legacy API security configuration endpoints. (#28425)

Fixed

• Fixed Vulnerability Detector version matcher logic for improved detection accuracy. (#31746)
• Fixed Cloudtrail log ingestion parsing errors. (#33108)

Agent

Added

• Added local state persistence for agent modules (FIM, System Inventory, SCA), removing the dependency on rsync with the Wazuh Server and reducing network traffic and server-side processing overhead. (#29533) (#31838)

Changed

• Changed the Wazuh Manager installation path to /var/wazuh-manager (replacing /var/ossec) and removed agent ID 000, fully decoupling agent and manager processes on shared hosts. (#33378)
• Changed Vulnerability Detection to use the Wazuh Indexer as the sole authoritative CVE data source, removing direct CTI network access from the agent-side Vulnerability Detector. (#34849)
• Adjusted agent-side Vulnerability Detector inventory emission and synchronization (OS, packages, hotfixes) to align with the updated VD behavior in Wazuh 5.0. (#33199)
• Simplified rootcheck: removed the server-side database, sync path, and API surface; findings are now indexed through the standard alert pipeline. (#31478)
• Updated logcollector file-tailing initial read strategy for more consistent behavior across log rotation scenarios. (#33382)
• Updated Windows Event Channel log collection to emit native XML from EvtRender() without an XML declaration header. (#34462)
• Increased default limits for agent event throughput and inventory message sizes. (#35330)

Removed

• Removed deprecated agent binaries and legacy modules as part of the Wazuh 5.0 agent cleanup. (#30435)
• Removed NSIS-based Windows agent installer; Windows agent now ships exclusively as an MSI package. (#31582)

Fixed

• Fixed FIM checksum calculation that was incorrectly ignoring some file fields. (#29668)
• Fixed syscollector reporting duplicate and bogus packages on macOS arm64. (#30513)
• Fixed agent_control not displaying agent status information. (#32915)
• Fixed SCA handling of invalid operators and missing values in regex patterns. (#35071)
• Fixed agent modules initializing before agent metadata was fully ready. (#35156)
• Fixed FIM inventory reporting file modification time as 1970-01-01. (#35162)
• Fixed agent automatic reload failing after receiving centralized configuration. (#35169)
• Fixed syscollector false positive package detection on macOS. (#35248)

Manager

Fixed

• Fixed heap-based null WRITE Buffer Underflows. (34658)

Agent

Fixed

• Fixed MS Graph default rules not triggering properly. (#34240)
• Unified date formats in Active Response logs to ensure consistent timestamp formatting. (#34473)
• Updated Docker integration rules to improve detection coverage and compatibility. (#34376)
• Fixed heap-based NULL write buffer underflow in GetAlertData. (#34501)
• Retained MSI installer log after Windows agent upgrade to improve troubleshooting visibility. (#34517)
• Fixed incorrect Windows 11 edition detection after upgrading the agent to version 4.14.3. (#34530)
• Fixed macOS agent crash during syscollector reload caused by invalid pthread_cond_destroy() usage. (#34274)
• Fixed Windows OS edition detection. (34540)
• Fix pthread_mutex_destroy invalid argument error on AIX in syscollector. (#34900)

Changed

• Changed msi_output extension from txt to log. (34541)
• Changed to unsigned char in print_hex_string. (34602)
• Changed sync primitive disposal to stop and soften teardown failures. (34552)

RESTful API

Fixed

• Fixed timestamps in the /agents/upgrade_result endpoint to return accurate UTC time. (#34176)
• Improved cluster file synchronization path handling by adding safe path joins. (#34464)
• Fixed API login race condition- (34459)

Other

Changed

• Updated the azure-core dependency to 1.38.0 and the Werkzeug dependency to 3.1.5. (#34154)
• Updated the protobuf dependency to 5.29.6 and the python-multipart dependency to 0.0.22. (#34403)

Manager

Fixed

• Scaped document ID when necessary before sending document to indexer. (#33464)
• Extended timestamp conversion helpers to support additional input formats and normalize ISO8601 strings. (#33551)
• Restricted cluster file transfer write paths. (#33705)
• Hardened cluster deserialization by restricting callable decoding to Wazuh modules and improving error handling. (#33910)
• Added query size checks for syscollector delta sync SQL generation to prevent buffer overflows. (#33803)
• Replaced unsafe sprintf calls in the SCA decoder to prevent buffer overflows. (#33756)
• Fixed a memory leak in the CIS-CAT decoder when database operations fail. (#33739)
• Fixed ruleset hot reload on workers by awaiting send_reload_ruleset_msg. (#34184)

Agent

Added

• Added hostname and architecture metadata to Windows keep-alive messages. (#33831)

Fixed

• Fixed UTF-16 casting when updating report_changes. (#33495)
• Improved Active Response key handling in wazuh-execd. (#33665)
• Added bounds checking to Logcollector max-size configuration serialization. (#33704)
• Hardened Logcollector multiline backup handling to use full-buffer copies. (#33926)
• Fixed label formatting edge cases in keep-alive notify messages. (#33708)
• Fixed a false positive in vulnerability detection for Oracle Linux 8. (#33583)
• Extended Windows network path restrictions to block extended-length UNC paths. (#34115)
• Fixed crash in network path detection on Windows. (#34162)
• Fixed Agent reload failure on Linux systems with systemd version 219 or lower. (#34064)

RESTful API

Changed

• Improved authentication performance by caching generated keypairs and clearing the cache when key files change. (#33702)

Fixed

• Improved configuration upload validation by parsing and comparing Wazuh XML configurations more reliably. (#33683)
• Fixed protected settings checks when multiple <ossec_config> blocks are present. (#33807)

Ruleset

Added

• Added a CIS SCA policy for macOS 26 Tahoe. (#33492)

Fixed

• Fixed SCA policy execution on Windows Server 2019 by using the correct PowerShell path. (#34141)

Other

Changed

• Updated the werkzeug dependency to 3.1.4. (#33569)
• Updated the urllib3 dependency to 2.6.3. (#33927)

Manager

Fixed

• Prevented Azure Log Analytics bookmarks from being overwritten across similar configurations. (#33046)
• Fixed discrepancy in the API certificate files. (#33330)
• Made analysisd ruleset reload endpoints fully asynchronous to avoid blocking the API event loop. (#33589)
• Improved analysisd ruleset hot reload performance. (#33580)
• Avoided using systemctl in restart scripts when systemd is not running as PID 1. (#33602)

Agent

Added

• Added detection of the -a never,task Audit rule in FIM whodata for Linux. (#33313)

Fixed

• Fixed Windows agent remote upgrade (WPK) when installed in a custom directory. (#33171)
• Fixed a package issue causing upgrades to fail when the shared directory contained subdirectories. (#33182)
• Fixed FIM issue preventing whodata from working on systems with /var and /etc mounted on different volumes. (#33270)
• Optimized user and group inventory performance in Syscollector on Windows Domain Controllers. (#33322)
• Fixed an agent bug that prevented directories from being received in the remote configuration. (#33227)
• Silenced agent log message about failing to connect to Active Response when it is disabled. (#33343)

Ruleset

Added

• Added SCA Policy for Microsoft Windows Server 2025. (#32856)

Changed

• Fixed bug in multiple macOS SCA checks. (#33202)

Fixed

• Fixed indentation issue in the SCA policy for Windows 10 Enterprise that prevented its execution. (#33361)

Other

Changed

• Upgraded the starlette dependency to 0.49.1. (#33069)

Manager

Added

• Added IAM role support for VPC flow logs in the AWS wodle. (#32009)
• Added support for static and temporary AWS credentials in the Amazon Security Lake subscriber. (#32514)

Changed

• Optimized wazuh-db startup by executing agent schema creation in a single transaction. (#32401)
• Improved vulnerabilities index upgrade with hash-based mapping validation, automatic safe reindex, and backup cleanup. (#32463)
• Improved C++ logging mechanism to avoid unnecessary heap allocations. (#32069)
• Improved IndexerConnector error handling and response parsing to provide structured logging of 4xx/5xx errors. (#32521)
• Reduced default verbosity of wazuh-authd when handling invalid connections. (#32525)
• Remoted now reads internal options at process startup. (#32697)

Fixed

• Fixed manager vulnerability scan not triggering due to incorrect syscollector event provider topic name. (#32045)
• Fixed IndexerConnector abuse control to prevent data loss on failed syncs. (#32787)
• Fixed user tag handling by adding 'user' as an alias for the 'dstuser' static field. (#32107)
• Fixed JSON validation issues in Analysisd and SCA components. (#32057)
• Fixed a bug in Vulnerability Scanner where the DB offset was updated even in error cases. (#32829)

Agent

Added

• Added support for Homebrew 2.0+ in IT Hygiene for macOS. (#32746)

Changed

• Changed how the fim_check_ignore function works in case of negative regex cases. (#31080)
• Changed how null values for hotfixes are handled in the Windows agent. (#31375)
• Improved service shutdown procedure. (#32874)

Fixed

• Fixed indefinite waiting in FIM whodata health check. (#32383)
• Fixed graceful shutdown in FIM. (#31241)
• SHA256 of commands is now verified on every execution. (#32049)
• Fixed duplicate <ca_store> configuration block during RPM package upgrades. (#32528)
• Fixed a bug that prevented overwriting <registry_limit> or <file_limit> options from remote configuration. (#31144)
• Fixed a bug in Logcollector that prevented following symlinks when resolving wildcarded files. (#29853)
• Unified detection logs for wildcarded files in Logcollector. (#31222)
• Fixed a bug in FIM that did not recognize Registry keys unless they were UTF-8. (#32027)
• Fixed a bug in Logcollector that ignored all files with <age> filter on Windows. (#32731)
• Reverted IT Hygiene package vendor format on Debian: now includes name and email again. (#32812)
• Fixed a bug in IT Hygiene that reported duplicated Edge browser extensions. (#32785)
• Fixed reload of the <labels> block via remote configuration. (#32838)
• Fixed Windows installer to deploy SCA policies for Windows 2022 instead of Windows Server 2025. (#32836)

Ruleset

Changed

• Reworked SCA Policy for Microsoft Windows 10 Enterprise. (#31449)
• Fixed bug in Windows SCA. (#31349)
• Fixed mistaken alert due to expected regex. (#31102)
• Fixed SCA checks in Oracle Linux 9. (#31886)
• Fixed bugs in Windows Server 2016 SCA. (#32509)
• Fixed bugs in PAM decoder. (#32523)
• Fixed MacOS Sequoia SCA scans with errors. (#32480)
• Windows Server 2016 SCA policy not configured correctly. (#32802)

Other

Changed

• Upgraded the starlette dependency to 0.47.2. (#31422)
• Upgraded Python embedded interpreter to 3.10.19. (#32782)
• Updated curl dependency to 8.12.1. (#32900)
• Updated LUA to version 5.4.6. (#32294)
• Updated libarchive to version 3.8.0. (#32294)

Manager

Added

• Added system users and groups to the inventory data. (#30848)
• Added browser extensions and services to the inventory data. (#31614)
• Added IPv6 support to Maltiverse integration. (#31731)

Fixed

• Fixed internal decoder RC startup. (#29663)
• Fixed queue stats RC over wazuh-analysisd. (#29673)
• Fixed race condition in the event queue. (#29672)
• Fixed regexCompile race condition. (#29699)
• Fixed malformed alerts in alerts.log when <group> contains newline characters. (#30653)
• Fixed and improved dpkg version comparison algorithm in Vulnerability Detector. (#31599)

Changed

• Improved databaseFeedManagerTesttool. (#30192)
• Adapted wazuh-maild to RFC5322 standard. (#30793)
• Enhanced the active response endpoint performance. (#31218)

Agent

Added

• Added support for parquet version 2 in AWS Wodle. (#30235)
• Added capability to do a hot configuration reload in Linux agents. (#30797)
• Added support for Amazon Inspector v2. (#31163)
• Added system users and groups to the inventory data. (#30369)
• Added browser extensions to the inventory data. (#805)
• Added services to the inventory data. (#807)
• Added missing AWS regions us-gov-west-1 and us-gov-east-1 to AWS wodle. (#31418)
• Included Windows kernel version information to IT Hygiene. (#32413)

Fixed

• Fixed errors with Azure Graph event fields. (#30831)
• Added the missing "provider" field to the whodata section in syscheckd JSON configuration. (#30877)
• Fixed journald disabled filters when both blocks have no filters. (#31700)
• Fixed whodata FIM compatibility with latest audit versions. (#30215)
• Fixed mismatch between MTU values in database and indexer for Windows agents. (#31875)

Changed

• Improved rootkit error messages to warnings due to future deprecation. (#31640)

RESTful API

Added

• Added syscollector users and groups endpoints. (#30913)
• Added syscollector services and browser_extension endpoints. (#31513)

Fixed

• Fixed secure headers. (#31046)
• Fixed the display of sensitive information for non-privileged users. (#31315)

Ruleset

Added

• Added SCA content for Rocky Linux 10. (#30745)
• Added SCA content for Debian 13. (#31747)

Fixed

• Fixed multiple Rocky Linux SCA checks generating incorrect results. (#29976)
• Fixed missing Check (2.3.7.6) in Windows Server 2019 v2.0.0. (#30173)
• Fixed camel casing in ownCloud ruleset header. (#30276)
• Fixed false positive in check 2.3.3.2 of macOS 13, 14, and 15 SCA. (#30489)
• Fixed bug in rule 92657. (#30529)
• Fixed field names in Office 365 rules. (#30528)
• Fixed action field in Fortigate rules. (#30515)
• Fixed Auditd EXECVE sibling Decoders. (#30612)
• Fixed problems with other Windows OS languages except English. (#31227)
• Reworked SCA Policy for Debian Linux 12. (#30717)
• Fixed missing comma in 0393-fortiauth_rules.xml. (#32025)
• Fixed Windows sca user account checks. (#32102)
• Fixed inaccuracies in Ubuntu 2404 sca policy. (#32106)
• Fixed incorrect service name in Ubuntu firewall service check. (#32143)

Other

Changed

• Updated packaging dependency to 25.0. (#31272)
• Updated requests to version 2.32.4. (#30536)
• Updated urllib3 to version 2.5.0 and protobuf to version 5.29.5. (#30624)
• Upgraded Python embedded interpreter to 3.10.18. (#30916)
• Updated OpenSSL to 3.0.15 and cpp-httplib to v0.25.0. (#31779)
• Updated SQLite dependency to version 3.50.4. (#29586)

There are no changes in this release.

Manager

Added

• Added Analysisd ability to do a hot ruleset reload. (#29458)
• Added support for global queries of FIM and system inventory data. (#27894)
• Added sanity checks for hotfix values in Vulnerability Detector. (#30504)

Fixed

• Fixed missing agent version handling in Vulnerability Detector. (#29181)
• Fixed race condition in agent status synchronization between worker and master. (#29624)
• Fixed agent-group assignment for missing agents with improved error handling. (#30534)
• Fixed missing OS info updates in global inventory after first scan. (#30818)
• Fixed wazuh-db failure during agent restarts by updating the restart query to use HTTP. (#31048)
• Fixed DFM graceful shutdown. (#30627)
• Fixed inode field as string in FIM JSON messages to ensure schema consistency. (#30718)
• Fixed duplicate OS vulnerabilities detected due to inventory after OS version change. (#30837)

Changed

• Improved reports functionality to avoid duplicated daily FIM reports. (#29232)
• Optimized agent query endpoints. (#29363)
• Implemented RBAC resource cache with TTL support. (#29406)
• Improved Wazuh-DB protocol to support large HTTP requests and remove pagination. (#29514)
• Added HTTP client implementation to wazuh-db. (#29515)
• Separated control messages from the connection handling in remoted. (29153)
• Added capability to re-index CVEs if documents have changed in Vulnerability detector. (#29916)
• Improved exception handling in run_local SDK funcition. (#30851)
• Improved Authd connection management using epoll for better handling of concurrent agent registration requests. (#29135)
• Added single writer buffer manager instance for each indexer connector instances. (#31114)
• Disabled FIM Global Queries. (#31856))

Agent

Added

• Added support for Rocky Linux and AlmaLinux in the agent upgrade module. (#29391)
• Added handling of CentOS 9 SCA files in package specs. (#29393)
• Added SCA support for Oracle Linux 10. (#29139)
• Added Rootcheck rule to detect root-owned files with world-writable permissions. (#30556)
• Added Ms-Graph token validation before performing requests. (#30377)
• Added support for UTF-8 characters in file paths for FIM. (#30763)

Fixed

• Fixed incorrect handling of events in the Custom logs bucket. (#29312)
• Fixed download Azure's blob race condition. (29317)
• Fixed FIM reports false files. (#28962)
• Fixed IPv6 address format reported by WindowsHelper. (#29502)
• Fixed hidden port detection and netstat availability handling. (#29561)
• Replaced select() with sleep() in Logcollector to prevent errors during Docker deployment. (#29905)
• Fixed NetNTLMv2 exposure by filtering UNC paths and mapped drives in Windows agent. (#30060)
• Fixed Windows agent not starting after manual upgrade by deferring service start to post-install. (#29820)
• Fixed the loss of precision of the FIM inode field at values higher than 2ˆ53. (#30552)
• Fixed expanded file list in logcollector getconfig output. (#30614)
• Fixed authd.pass ACL permissions to match client.keys security level in Windows agent installer. (#31187)

Changed

• Improved agent synchronization to reduce redundant payload transfers. (#29426)
• Improved Syscollector to report only Python packages managed by dpkg. (#28688)
• Improved wazuh-db JSON handling performance by updating external dependencies. (#29399)
• Improved Azure module logging capabilities. (#29930)
• Improved restart on macOS agents after an upgrade. (#29940)
• Standarized different services timeouts. (#29443)
• Removed internal_key from queries filters. (#30637)

RESTful API

Added

• Added the server uuid to the /manager/info endpoint. (#29524)
• Added /agents/summary endpoint. (#29589)
• Added ruleset reload endpoints. (#31459)

Fixed

• Fixed false positive in configuration uploading. (#28962)
• Fixed sorting by version in agent list endpoint. (#29166)

Ruleset

Added

• Added SCA content for CentOS Stream 9. (#29269)
• Added IOCs and rules for Wazuh 4.x ruleset improvement. (#29653)
• Added SCA content for Oracle Linux 10. (#29139)
• Added rule to minimize event flooding from Windows events on the Wazuh manager. (#28790)

Changed

• Fixed bugs in Microsoft Windows 11 Enterprise SCA policy. (#5648)
• Fixed multiple checks in RHEL 9, RHEL 10, Rocky Linux 8 and Rocky Linux 9 SCA policies. (#29040)
• Fixed diff causing false negatives in rootcheck. (#28982)
• Fixed multiple RHEL 8 and CentOS 7 SCA checks generating incorrect results. (#28711)
• Fixed false positives in Benchmark Ubuntu 24.04. (#30827)

Other

Changed

• Updated Python dependencies: setuptools, Jinja2, and PyJWT. (#29610)
• Upgraded Python embedded interpreter to 3.10.16. (#28646)
• Upgraded h11 to 0.16.0 and httpcore to 1.0.9. (#29735)
• Removed unused Python Azure dependencies. (#28564)