CVE-2026-30893
Path Traversal in Wazuh Leading to Remote Code Execution
Publication date: 2026-04-29
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | From 4.4.0 (inc) to 4.14.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Wazuh, an open source platform for threat prevention, detection, and response. Specifically, from versions 4.4.0 to before 4.14.4, there is a path traversal flaw in the cluster synchronization extraction routine. This flaw allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes.
By exploiting this, an attacker can overwrite Python modules loaded by Wazuh components, potentially leading to code execution within the Wazuh service context. If the cluster daemon runs with elevated privileges, this can escalate to a full system-level compromise.
How can this vulnerability impact me? :
The vulnerability can allow an authenticated cluster peer to write arbitrary files on other cluster nodes, which can lead to unauthorized code execution within the Wazuh service.
If the cluster daemon operates with elevated privileges, this can result in a complete system compromise, potentially allowing attackers to control the affected systems.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Wazuh versions from 4.4.0 to before 4.14.4 allows an authenticated cluster peer to perform path traversal and write arbitrary files, potentially leading to code execution and system compromise.
To mitigate this vulnerability immediately, upgrade Wazuh to version 4.14.4 or later where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated cluster peer to write arbitrary files outside the intended directory on other cluster nodes, potentially leading to code execution and system-level compromise if elevated privileges are involved.
Such unauthorized file writes and possible system compromise could lead to breaches of data integrity and availability, which are critical aspects of compliance with standards like GDPR and HIPAA.
If exploited, this vulnerability could result in unauthorized access or modification of sensitive data, thereby violating requirements for data protection, confidentiality, and system security mandated by these regulations.
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in Wazuh's cluster synchronization extraction routine. It allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes.
The vulnerability arises because the decompress_files() function constructs output file paths using attacker-controlled values without proper validation or normalization checks.
Exploitation can be done via relative path traversal (e.g., ../../../../etc/cron.d/backdoor) or absolute path injection (e.g., /etc/cron.d/backdoor).
This can be escalated to code execution within the Wazuh service context by overwriting Python modules or configuration files loaded by Wazuh components.
If the cluster daemon runs with elevated privileges, this can lead to system-level compromise.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who is an authenticated cluster peer to write arbitrary files on other cluster nodes outside the intended directories.
Such unauthorized file writes can lead to code execution within the Wazuh service context by overwriting Python modules or configuration files.
If the cluster daemon operates with elevated privileges, the attacker could achieve full system-level compromise.
The impact includes potential loss of integrity and availability of the affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized or unexpected file writes outside the intended extraction directories on Wazuh cluster nodes, especially files that could overwrite Python modules or configuration files.
Since the vulnerability exploits path traversal in the cluster synchronization extraction routine, you can check for suspicious file paths containing relative path traversal sequences (e.g., ../../) or absolute paths being written during cluster synchronization.
Commands to help detect potential exploitation attempts include:
- Use file integrity monitoring tools or commands like `find` to look for recently modified or created files outside expected directories, for example: `find /var/ossec/ -type f -mtime -1` to find files modified in the last day.
- Check Wazuh logs for unusual cluster synchronization activity or errors related to file extraction paths.
- Use commands like `grep -r "..\/..\/" /var/ossec/` to search for path traversal patterns in logs or configuration files.
- Monitor network traffic for suspicious cluster peer communications that might include malicious payloads attempting path traversal.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Wazuh to version 4.14.4 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, restrict cluster peer access to trusted nodes only and limit privileges of the cluster daemon to reduce the risk of system-level compromise.
Monitor and audit cluster synchronization activities closely to detect any suspicious file writes or path traversal attempts.
Apply network segmentation and firewall rules to limit exposure of the cluster synchronization service to untrusted networks.