CVE-2026-30893

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/wazuh/wazuh/releases/tag/v4.14.4	Release Notes
https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787	Vendor Advisory
https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

History

30 Apr 2026, 20:30

Type	Values Removed	Values Added
First Time		Wazuh wazuh Wazuh
CPE		cpe:2.3:a:wazuh:wazuh::::::::
References	~~() https://github.com/wazuh/wazuh/releases/tag/v4.14.4 -~~	() https://github.com/wazuh/wazuh/releases/tag/v4.14.4 - Release Notes
References	~~() https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787 -~~	() https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787 - Vendor Advisory

30 Apr 2026, 15:11

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-29 19:16

Updated : 2026-04-30 20:30

NVD link : CVE-2026-30893

Mitre link : CVE-2026-30893

CVE.ORG link : CVE-2026-30893

JSON object : View

Products Affected

wazuh

wazuh

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

{"id": "CVE-2026-30893", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-04-29T19:16:23.200", "references": [{"url": "https://github.com/wazuh/wazuh/releases/tag/v4.14.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4."}], "lastModified": "2026-04-30T20:30:05.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF4A0B6F-989A-47DB-BA1C-FC9F4D68A805", "versionEndExcluding": "4.14.4", "versionStartIncluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}