CVE-2026-30893

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.4.0 through 4.14.3

Description A path traversal issue exists in the cluster synchronization extraction routine, specifically within the decompress files() function. This allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This flaw can be escalated to remote code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components. In environments where the cluster daemon operates with elevated privileges, a full system-level compromise is possible. Over 3,500 unpatched instances were identified as of 2026-05-10.

Recommendations Update to version 4.14.4.