CVE-2026-30893

Source
https://cve.org/CVERecord?id=CVE-2026-30893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30893
Aliases
  • GHSA-m8rw-v4f6-8787
Published
2026-04-29T17:55:12.493Z
Modified
2026-07-08T08:00:02.120110568Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
Summary
Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer
Details

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchronization extraction routine allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components (proof of concept available as separate attachment). In deployments where the cluster daemon runs with elevated privileges, system-level compromise is possible. This issue has been patched in version 4.14.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30893.json",
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wazuh/wazuh

Affected ranges

Type
GIT
Repo
https://github.com/wazuh/wazuh
Events
Database specific
{
    "cpe": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.14.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30893.json"