Wazuh CVE-2026-30893: Critical Path Traversal to RCE
The National Vulnerability Database has disclosed CVE-2026-30893, a critical path traversal vulnerability in Wazuh, the open-source threat prevention, detection, and response platform. Affecting versions 4.4.0 through 4.14.3, this flaw allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes during cluster synchronization. This is not a theoretical risk; it’s a direct path to code execution.
Attackers can leverage this by overwriting Python modules loaded by Wazuh components. If the cluster daemon operates with elevated privileges, which is often the case in production environments, this vulnerability escalates to full system-level compromise. The National Vulnerability Database assigned a CVSS score of 9 (CRITICAL) to this issue, underscoring its severity. This isn’t some edge case; it’s a fundamental breakdown in isolation.
Wazuh has patched this vulnerability in version 4.14.4. The implications are clear: any organization running vulnerable Wazuh cluster deployments is exposed to authenticated attackers achieving remote code execution. This isn’t about sophisticated zero-days; it’s about patching known critical flaws that provide an easy vector for lateral movement and full system compromise within your security monitoring infrastructure.
What This Means For You
- If your organization uses Wazuh, you need to immediately verify your cluster versions. Prioritize patching all Wazuh cluster nodes to version 4.14.4 or higher to mitigate CVE-2026-30893. Audit your cluster peer authentication and ensure least privilege is enforced, even though this vulnerability allows an authenticated peer to escalate. This is a critical RCE that can turn your security platform into an attacker's playground.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-30893: Wazuh Path Traversal to Arbitrary File Write
title: CVE-2026-30893: Wazuh Path Traversal to Arbitrary File Write
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the path traversal vulnerability (CVE-2026-30893) in Wazuh versions prior to 4.14.4. This rule specifically looks for file write operations targeting paths that indicate an attempt to traverse out of the intended extraction directory within the Wazuh installation, potentially leading to arbitrary file writes and subsequent RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-30893/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_event
detection:
selection:
TargetFilename|contains:
- '/var/ossec/api/../'
- '/var/ossec/framework/../'
- '/var/ossec/queue/../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-30893 | Path Traversal | Wazuh versions 4.4.0 to 4.14.3 |
| CVE-2026-30893 | RCE | Wazuh cluster synchronization extraction routine allows overwriting Python modules |
| CVE-2026-30893 | Privilege Escalation | Wazuh cluster daemon running with elevated privileges |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
AgentFlow RCE Vulnerability (CVE-2026-7466) Allows Local Code Execution
CVE-2026-7466 — AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to...
CVE-2026-7439 — AgentFlow's local web API accepts non-JSON content types on
CVE-2026-7439 — AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass...
CVE-2026-7424: FreeRTOS-Plus-TCP DHCPv6 Vulnerability Leads to DoS
CVE-2026-7424 — Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6...