Wazuh cluster path traversal RCE (CVE-2026-30893)

Patch now - CVE-2026-30893 is a critical path traversal vulnerability in Wazuh cluster synchronization (versions 4.4.0 through 4.13.3 and 4.14.0 through 4.14.3) that lets an authenticated cluster peer write arbitrary files outside the extraction directory, escalating to remote code execution in the Wazuh service context. Patched in Wazuh 4.14.4 with Python module integrity improvements.

Overview

CVE-2026-30893 affects Wazuh’s cluster synchronization extraction routine, where the daemon fails to properly validate file paths during archive extraction. An attacker who controls an authenticated cluster peer can craft a malicious archive containing path traversal sequences (such as ../ or absolute paths). When other cluster nodes extract this archive during synchronization, the attacker can overwrite arbitrary files on those nodes.

Impact

The primary exploitation path targets Python modules loaded by Wazuh components. By overwriting a loaded Python module with malicious code, the attacker achieves code execution in the Wazuh service context. In deployments where the cluster daemon runs with elevated privileges (such as root), this can escalate to full system compromise. The attack requires network access to the cluster and high-level authentication credentials (valid cluster peer credentials).

The vulnerability carries a CVSS score of 9.0 (Critical) due to low attack complexity, network accessibility, and no user interaction required. No active exploitation has been publicly confirmed, but proof-of-concept exploitation techniques have been shared in security circles.

Affected Versions

• Wazuh 4.4.0 through 4.13.3 - All versions
• Wazuh 4.14.0 through 4.14.3 - Affected

Remediation

Immediate action: Update to Wazuh 4.14.4 or later. The patch introduces path sanitization checks in the extraction routine and prevents Python module overwrites outside authorized directories.

Temporary workarounds: If upgrading is not immediately possible, restrict cluster peer authentication to trusted, known hosts using firewall rules or network segmentation. Monitor cluster synchronization logs for unexpected file write operations or extraction errors.

Security Insight

Wazuh’s vulnerability follows a pattern common in security monitoring platforms - where trust between internal components is implicitly assumed rather than validated. The cluster synchronization feature, designed for high availability and distributed management, became the vector for lateral movement. This echoes similar path traversal issues in other security tools like Elasticsearch and Splunk, which have historically suffered from trust assumptions in their cluster communication protocols. For threat detection and response platforms, this class of vulnerability is particularly dangerous because a compromised cluster peer can silently corrupt detection logic or disable monitoring capabilities across the entire deployment.

For the latest threat intelligence and breach reports, visit our security news and breach reports pages.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs