InfoSecBulletin Cybersecurity for mankind
Wazuh has fixed a critical issue dubbed CVE-2026-30893 which is rated 9.0 on the CVSS scale allowing an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This can be escalated to code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components.
The flaw is found in Wazuh’s system, especially in the decompress_files() function used for syncing the cluster. When Wazuh cluster nodes share data, they send archives with different setup and operational files.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The receiving node takes file paths directly from the incoming archive and passes them to os.path.join() without any normalization or containment checks. A compromised or malicious peer can craft an archive with traversal paths.
When the victim node does the sync, it saves the attacker’s content to the given path, even if it is not in the right sync folder.
Because Wazuh is often tasked with protecting high-value workloads, the impact of this vulnerability depends heavily on the deployment context:
Standard Installations: The daemon usually works as the wazuh user. In this case, an attacker can change Python modules in /var/ossec/wodles/. Since the system runs these modules often, the attacker gets to run code in the Wazuh service.
Docker & Elevated Deployments: In many container setups, the Wazuh program runs as root automatically. This raises the danger of a full system takeover. Attackers can change files in /etc/cron.d/ for scheduled tasks or add their own keys to /root/.ssh/authorized_keys for lasting, high-level access.
While the attack needs the person to be a “verified” cluster peer, this gives little reassurance in today’s distributed systems. If one node in a cluster is hacked through another method, this weakness lets the attacker quickly “spread” to every other node, changing a local problem into a worldwide failure.
The Wazuh team has put out a fix that adds strict rules for paths and makes them standard. All admins should upgrade their clusters right away.
