EXECUTIVE SUMMARY:
CVE-2026-30893 with a CVSS score of 9.0 is a critical path traversal vulnerability in Wazuh's cluster synchronization mechanism. The flaw affects Wazuh, a widely deployed open-source platform for threat detection and response, specifically in versions that utilize cluster synchronization. The vulnerability lies in the decompress_files routine used during cluster synchronization, where the receiving node takes file paths directly from the incoming archive and passes them to os.path.join() without any normalization or containment checks. A compromised or malicious peer can craft an archive with traversal paths, allowing the attacker to move laterally across a network, overwriting system files, and achieving full remote code execution. The attacker can exploit this vulnerability with an authenticated cluster peer, offering little comfort in modern distributed environments, as a single node compromise allows instant infection of every other node in the cluster, turning a localized breach into a global infrastructure collapse. In standard installations, the attacker can overwrite Python modules in /var/ossec/wodles/, gaining code execution within the Wazuh service context, while in Docker and elevated deployments, the risk escalates to a total system takeover, allowing attackers to write to /etc/cron.d/ or drop their own keys into /root/.ssh/authorized_keys for permanent, high-privilege access. The impact of this vulnerability depends heavily on the deployment context, with business consequences including lateral movement, root access, and potentially a total system takeover, particularly in environments where Wazuh is tasked with protecting high-value workloads.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-30893 with a CVSS score of 9.0 is a critical path traversal vulnerability in Wazuh's cluster synchronization mechanism. The flaw affects Wazuh, a widely deployed open-source platform for threat detection and response, specifically in versions that utilize cluster synchronization. The vulnerability lies in the decompress_files routine used during cluster synchronization, where the receiving node takes file paths directly from the incoming archive and passes them to os.path.join() without any normalization or containment checks. A compromised or malicious peer can craft an archive with traversal paths, allowing the attacker to move laterally across a network, overwriting system files, and achieving full remote code execution. The attacker can exploit this vulnerability with an authenticated cluster peer, offering little comfort in modern distributed environments, as a single node compromise allows instant infection of every other node in the cluster, turning a localized breach into a global infrastructure collapse. In standard installations, the attacker can overwrite Python modules in /var/ossec/wodles/, gaining code execution within the Wazuh service context, while in Docker and elevated deployments, the risk escalates to a total system takeover, allowing attackers to write to /etc/cron.d/ or drop their own keys into /root/.ssh/authorized_keys for permanent, high-privilege access. The impact of this vulnerability depends heavily on the deployment context, with business consequences including lateral movement, root access, and potentially a total system takeover, particularly in environments where Wazuh is tasked with protecting high-value workloads.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/wazuh-cluster-sync-vulnerability-cve-2026-30893-rce-guide/