CVE-2026-39359
Received Received - Intake

Path Traversal in Wazuh Manager

Vulnerability report for CVE-2026-39359, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4, a logic flaw affects the Wazuh Manager's enrollment daemon (authd) and synchronization daemon (remoted). The authd process allows agents to select a group during enrollment but does not filter path traversal sequences such as "..." While the manager checks for the group directory using wopendir(), the ".." sequence references the parent directory (/var/ossec/etc), allowing it to pass validation. After the malicious group is accepted and stored in the manager's global database, the remoted process uses this unchecked value to build paths for agent configuration synchronization. As a result, sensitive files from /var/ossec/etc, such as client.keys, ossec.conf, and internal certificates, are included in the agent's shared configuration stream and exposed to the attacker. This issue has been fixed in versions 4.10.4 and 4.14.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wazuh wazuh_manager From 4.0.0 (inc) to 4.14.4 (inc)
wazuh wazuh_manager 4.10.4
wazuh wazuh_manager 4.14.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-39359 is a path traversal vulnerability in Wazuh Manager affecting versions 4.0.0 through 4.14.4. It involves improper validation of agent group names during enrollment, allowing attackers to inject sequences like '..' to bypass security checks. This exposes sensitive files in /var/ossec/etc, such as client.keys and ossec.conf, to unauthorized access.

Detection Guidance

Check Wazuh Manager versions between 4.0.0-4.10.3 and 4.11.0-4.14.4 for the vulnerability. Inspect authd and remoted logs for suspicious group enrollment attempts containing '..' sequences. Verify if sensitive files like client.keys or ossec.conf are included in agent configuration streams.

Impact Analysis

An attacker could exploit this to access sensitive files, including encryption keys and configuration data, potentially leading to unauthorized control or data breaches. The vulnerability enables network-based attacks with no required privileges or user interaction, posing risks to confidentiality and integrity of the Wazuh deployment.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements for data protection such as GDPR and HIPAA. Exposure of client.keys and configuration files may result in data breaches, triggering regulatory penalties and reputational damage.

Mitigation Strategies

Upgrade Wazuh Manager to versions 4.10.4 or 4.14.5 or later immediately. Implement strict input validation in authd to block path traversal sequences like '..' or '/'. Review and restrict access to /var/ossec/etc files. Monitor for unauthorized file access or configuration changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart