Ddos 
Wazuh, the widely deployed open-source platform for threat detection and response, has addressed a critical path traversal vulnerability in its cluster synchronization mechanism. The flaw, tracked as CVE-2026-30893 with a CVSS score of 9.0, could allow an authenticated cluster peer to move laterally across a network, overwriting system files and achieving full remote code execution.
The vulnerability lies deep within Wazuh’s framework, specifically in the decompress_files() routine used during cluster synchronization. When nodes in a Wazuh cluster sync data, they exchange archives containing various configuration and operational files.
The receiving node takes file paths directly from the incoming archive and passes them to os.path.join() without any normalization or containment checks. A compromised or malicious peer can craft an archive with traversal paths.
When the victim node processes the sync, it writes the attacker’s content to the specified path, even if it is outside the intended synchronization directory.
Because Wazuh is often tasked with protecting high-value workloads, the impact of this vulnerability depends heavily on the deployment context:
- Standard Installations: The daemon typically runs as the wazuh user. In this scenario, an attacker can overwrite Python modules in /var/ossec/wodles/. Since these modules are regularly executed by the system, the attacker gains code execution within the Wazuh service context.
- Docker & Elevated Deployments: In many containerized environments, the Wazuh daemon runs as root by default. Here, the risk escalates to a total system takeover. Attackers can write to /etc/cron.d/ for scheduled execution or drop their own keys into /root/.ssh/authorized_keys for permanent, high-privilege access.
While the attack requires the actor to be an “authenticated” cluster peer, this offers little comfort in modern distributed environments. If a single node in a cluster is compromised via another vector, this vulnerability allows the attacker to instantly “infect” every other node in the cluster, turning a localized breach into a global infrastructure collapse.
The Wazuh team has released a patch that implements strict path containment and normalization. All administrators are urged to upgrade their clusters immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
