Wazuh 4.4.04.14.3 Path Traversal to Arbitrary File Write in Cluster Sync
CVE-2026-30893 Published on April 29, 2026

Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.

NVD

Vulnerability Analysis

CVE-2026-30893 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-30893. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-30893 has been classified to as a Directory traversal vulnerability or weakness.

External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.


Products Associated with CVE-2026-30893

Want to know whenever a new CVE is published for Wazuh? stack.watch will email you.

Wazuh
 

Affected Versions

wazuh Version >= 4.4.0, < 4.14.4 is affected by CVE-2026-30893