CVE-2026-30893
Received Received - Intake
Path Traversal in Wazuh Leading to Remote Code Execution

Publication date: 2026-04-29

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30893
EUVD
EUVD-2026-26271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh From 4.4.0 (inc) to 4.14.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in Wazuh's cluster synchronization extraction routine. It allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes.

The vulnerability arises because the decompress_files() function constructs output file paths using attacker-controlled values without proper validation or normalization checks.

Exploitation can be done via relative path traversal (e.g., ../../../../etc/cron.d/backdoor) or absolute path injection (e.g., /etc/cron.d/backdoor).

This can be escalated to code execution within the Wazuh service context by overwriting Python modules or configuration files loaded by Wazuh components.

If the cluster daemon runs with elevated privileges, this can lead to system-level compromise.

Executive Summary

This vulnerability exists in Wazuh, an open source platform for threat prevention, detection, and response. Specifically, from versions 4.4.0 to before 4.14.4, there is a path traversal flaw in the cluster synchronization extraction routine. This flaw allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes.

By exploiting this, an attacker can overwrite Python modules loaded by Wazuh components, potentially leading to code execution within the Wazuh service context. If the cluster daemon runs with elevated privileges, this can escalate to a full system-level compromise.

Impact Analysis

The vulnerability can allow an authenticated cluster peer to write arbitrary files on other cluster nodes, which can lead to unauthorized code execution within the Wazuh service.

If the cluster daemon operates with elevated privileges, this can result in a complete system compromise, potentially allowing attackers to control the affected systems.

Mitigation Strategies

The vulnerability in Wazuh versions from 4.4.0 to before 4.14.4 allows an authenticated cluster peer to perform path traversal and write arbitrary files, potentially leading to code execution and system compromise.

To mitigate this vulnerability immediately, upgrade Wazuh to version 4.14.4 or later where the issue has been patched.

Impact Analysis

This vulnerability can allow an attacker who is an authenticated cluster peer to write arbitrary files on other cluster nodes outside the intended directories.

Such unauthorized file writes can lead to code execution within the Wazuh service context by overwriting Python modules or configuration files.

If the cluster daemon operates with elevated privileges, the attacker could achieve full system-level compromise.

The impact includes potential loss of integrity and availability of the affected systems.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unexpected file writes outside the intended extraction directories on Wazuh cluster nodes, especially files that could overwrite Python modules or configuration files.

Since the vulnerability exploits path traversal in the cluster synchronization extraction routine, you can check for suspicious file paths containing relative path traversal sequences (e.g., ../../) or absolute paths being written during cluster synchronization.

Commands to help detect potential exploitation attempts include:

  • Use file integrity monitoring tools or commands like `find` to look for recently modified or created files outside expected directories, for example: `find /var/ossec/ -type f -mtime -1` to find files modified in the last day.
  • Check Wazuh logs for unusual cluster synchronization activity or errors related to file extraction paths.
  • Use commands like `grep -r "..\/..\/" /var/ossec/` to search for path traversal patterns in logs or configuration files.
  • Monitor network traffic for suspicious cluster peer communications that might include malicious payloads attempting path traversal.
Mitigation Strategies

The primary immediate mitigation step is to upgrade Wazuh to version 4.14.4 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, restrict cluster peer access to trusted nodes only and limit privileges of the cluster daemon to reduce the risk of system-level compromise.

Monitor and audit cluster synchronization activities closely to detect any suspicious file writes or path traversal attempts.

Apply network segmentation and firewall rules to limit exposure of the cluster synchronization service to untrusted networks.

Compliance Impact

The vulnerability allows an authenticated cluster peer to write arbitrary files outside the intended directory on other cluster nodes, potentially leading to code execution and system-level compromise if elevated privileges are involved.

Such unauthorized file writes and possible system compromise could lead to breaches of data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA.

If exploited, this vulnerability could result in unauthorized access or modification of sensitive data, thereby violating requirements for data protection, confidentiality, and system security mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart