Wazuh
CVE-2026-39359
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable enrollment with no auth in default config (PR:N, AV:N, AC:L); impact is disclosure of sensitive config files only, so C:H, I:N, A:N.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4, a logic flaw affects the Wazuh Manager's enrollment daemon (authd) and synchronization daemon (remoted). The authd process allows agents to select a group during enrollment but does not filter path traversal sequences such as "..." While the manager checks for the group directory using wopendir(), the ".." sequence references the parent directory (/var/ossec/etc), allowing it to pass validation. After the malicious group is accepted and stored in the manager's global database, the remoted process uses this unchecked value to build paths for agent configuration synchronization. As a result, sensitive files from /var/ossec/etc, such as client.keys, ossec.conf, and internal certificates, are included in the agent's shared configuration stream and exposed to the attacker. This issue has been fixed in versions 4.10.4 and 4.14.5.
AnalysisAI
Sensitive file disclosure in the Wazuh Manager (versions 4.0.0-4.10.3 and 4.11.0-4.14.4) allows a malicious enrolling agent to exfiltrate manager secrets by abusing the group parameter during enrollment. The authd enrollment daemon fails to filter path traversal ("..") sequences in the agent-selected group name, so remoted later builds shared-configuration paths that reach /var/ossec/etc and stream files such as client.keys, ossec.conf, and internal certificates to the attacker-controlled agent. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Wazuh Manager enrollment daemon (authd, default TCP 1515) and the ability to complete agent enrollment while specifying a custom group value containing path traversal ("..") sequences - the group-selection feature of authd is the exact feature abused. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5) is internally consistent with the description: exploitation is over the network against the enrollment service, requires low complexity, and needs no user interaction, with impact confined to confidentiality (high) and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Manager's enrollment port registers a rogue agent and supplies a group name containing ".." (e.g. traversing from the groups directory up into /var/ossec/etc). … |
| Remediation | Vendor-released patch: upgrade the Wazuh Manager to 4.10.4 (for the 4.10.x line) or 4.14.5 (for the 4.11.0-4.14.4 line), per the advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-6q95-fcwc-4h44. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your Wazuh deployments to confirm version numbers (if running 4.0.0-4.14.4) and whether the enrollment daemon (port 1515 by default) is accessible from untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman
A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi
The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al
Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o
NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation
Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth
Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that
Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln
Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today