Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.
Published: 2026-04-29
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path‑traversal flaw in the decompress_files() routine of Wazuh’s cluster synchronization routine allows an authenticated peer to write files outside the intended extraction directory. By overwriting Python modules that Wazuh loads, a malicious cluster node can inject code that runs in the Wazuh service context. If the cluster daemon runs with elevated privileges, this escalation can lead to system‑level compromise. The vulnerability directly threatens confidentiality, integrity, and availability of the affected nodes and can be used to execute arbitrary code on any node that trusts the peer.

Affected Systems

Wazuh installations between version 4.4.0 (inclusive) and version 4.14.4 (exclusive) are affected. The issue is present in all products distributed under the wazuh:wazuh CNA identification. Affected components include the cluster daemon responsible for synchronizing rules, decoders, and other configuration artifacts across nodes.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity. The EPSS score is not available, so the exploitation probability is unknown; however, because the flaw requires authenticated cluster peers, an attacker must gain legitimate cluster credentials or compromise an existing node. The vulnerability is not listed in CISA’s KEV catalog. If the cluster daemon operates with elevated privileges, the potential impact scales from arbitrary file write to full system compromise. Exploitation would involve crafting a malicious archive to trigger the decompression routine on a target node, leveraging the path traversal to overwrite critical Python modules and achieve code execution.

Generated by OpenCVE AI on April 29, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch contained in Wazuh release 4.14.4 or later to remove the path traversal flaw
  • Re‑configure the cluster daemon to run under the least privilege required for operation, reducing the impact of any remaining file‑write vulnerabilities
  • Validate cluster peers and establish strict authentication to prevent unauthorized nodes from joining the cluster

Generated by OpenCVE AI on April 29, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Wed, 29 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Wed, 29 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.
Title Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-29T19:29:26.152Z

Reserved: 2026-03-06T00:04:56.701Z

Link: CVE-2026-30893

cve-icon Vulnrichment

Updated: 2026-04-29T19:29:21.998Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T19:16:23.200

Modified: 2026-04-30T20:30:05.967

Link: CVE-2026-30893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses