CVE-2026-30893 CRITICAL

CVE-2026-30893: Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer

Vendor Wazuh
Product wazuh
Weakness CWE-22 · Path traversal
Published April 29, 2026
Last update April 29, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 29, 2026 Record updated

Related vulnerabilities

04Related CVE