CVE-2026-30893
Published: 29 April 2026
Summary
CVE-2026-30893 is a critical-severity Path Traversal (CWE-22) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates file path inputs in the cluster synchronization extraction routine to block path traversal attacks enabling arbitrary file writes.
Requires timely remediation of the path traversal flaw by patching Wazuh to version 4.14.4 or later, eliminating the vulnerability.
Enforces least privilege for the Wazuh cluster daemon to restrict damage from arbitrary file writes and potential code execution or system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in authenticated cluster sync enables remote arbitrary file write on peer nodes (T1570 lateral transfer), directly leading to RCE via Python module overwrite (T1059.006) by exploiting the remote Wazuh service (T1210).
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary…
more
files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.
Deeper analysisAI
CVE-2026-30893 is a path traversal vulnerability (CWE-22, CWE-73) in the cluster synchronization extraction routine of Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects Wazuh versions from 4.4.0 up to but not including 4.14.4, enabling an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H), reflecting its critical potential impact despite requiring high privileges.
An attacker with authenticated access as a cluster peer can exploit this flaw remotely over the network with low complexity to perform arbitrary file writes on target nodes. This can be escalated to code execution within the Wazuh service context by overwriting Python modules loaded by Wazuh components, as demonstrated by a proof-of-concept. In configurations where the cluster daemon operates with elevated privileges, attackers could achieve full system-level compromise.
Wazuh has addressed the issue in version 4.14.4, as detailed in the release notes and GitHub Security Advisory GHSA-m8rw-v4f6-8787. Security practitioners should upgrade to 4.14.4 or later and review cluster configurations to ensure peers are trusted and daemons run with least privileges.
Details
- CWE(s)