Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.
Published: 2026-03-17
Score: 9.1 Critical
EPSS: 9.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wazuh 4.0.0 through 4.14.2 contain a Remote Code Execution vulnerability from deserialization of untrusted data, categorized as CWE-502. An attacker who gains any access to a worker node in a cluster deployment can inject malicious payloads during deserialization, leading to arbitrary code execution on the master node with root privileges. This compromise can allow full takeover of the entire cluster, impacting confidentiality, integrity, and availability.

Affected Systems

The affected product is Wazuh, specifically versions 4.0.0 to 4.14.2 used in cluster mode. All deployments using the master/worker architecture are vulnerable, while version 4.14.3 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.1 reflects high severity. The EPSS score of 9% indicates that exploitation is likely based on historical attack patterns. The vulnerability is not listed in CISA KEV, but the combination of high impact and relatively high exploitation probability makes this a critical risk for clusters exposed to the internet or with insufficient isolation. Once a worker node is compromised, the attacker can leverage insecure deserialization to produce full RCE on the master node, achieving root privileges and control over the entire environment.

Generated by OpenCVE AI on June 18, 2026 at 10:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.3 or later to remove the insecure deserialization vulnerability.
  • If upgrading immediately is not possible, isolate worker nodes from external networks and restrict inbound connections to only trusted management interfaces.
  • Disable or restrict serialization of untrusted data in the cluster configuration, ensuring that only signed or validated payloads are processed.
  • Implement continuous monitoring of cluster logs for suspicious deserialization attempts and enforce strict access controls on worker nodes.

Generated by OpenCVE AI on June 18, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.
Title Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T03:55:49.623Z

Reserved: 2026-02-05T18:35:52.359Z

Link: CVE-2026-25769

cve-icon Vulnrichment

Updated: 2026-03-17T18:19:21.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:15.267

Modified: 2026-06-17T10:25:12.147

Link: CVE-2026-25769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data