CVE-2026-39359 in Wazuhinfo

Summary

by MITRE • 07/17/2026

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4, a logic flaw affects the Wazuh Manager's enrollment daemon (authd) and synchronization daemon (remoted). The authd process allows agents to select a group during enrollment but does not filter path traversal sequences such as "..." While the manager checks for the group directory using wopendir(), the ".." sequence references the parent directory (/var/ossec/etc), allowing it to pass validation. After the malicious group is accepted and stored in the manager's global database, the remoted process uses this unchecked value to build paths for agent configuration synchronization. As a result, sensitive files from /var/ossec/etc, such as client.keys, ossec.conf, and internal certificates, are included in the agent's shared configuration stream and exposed to the attacker. This issue has been fixed in versions 4.10.4 and 4.14.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability under discussion affects Wazuh Manager's authentication and synchronization processes, creating a critical path traversal flaw that enables unauthorized access to sensitive system files. This issue exists within the authd daemon responsible for agent enrollment and the remoted daemon handling agent configuration synchronization. The core problem stems from inadequate input validation during group assignment where the system fails to properly sanitize directory traversal sequences such as "..." during agent enrollment. While the wopendir() function performs basic directory validation, it does not adequately filter out path traversal characters that could allow attackers to reference parent directories beyond the intended group structure.

The technical exploitation of this vulnerability begins with an attacker registering a Wazuh agent and specifying a malicious group name containing path traversal sequences. The authd process accepts this input without proper sanitization, allowing the malicious group to pass validation checks despite referencing parent directories. Once validated and stored in the manager's global database, this unchecked group name becomes part of the agent enrollment process. Subsequently, the remoted daemon processes this malicious value when building file paths for configuration synchronization, directly incorporating sensitive files from the /var/ossec/etc directory into the agent's shared configuration stream.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially compromise the entire Wazuh security infrastructure. Sensitive files including client.keys containing agent authentication credentials, ossec.conf with system configuration parameters, and internal certificates used for secure communications become accessible through the agent synchronization mechanism. This exposure creates opportunities for attackers to escalate privileges, impersonate legitimate agents, or gain deeper access to the protected network environment. The vulnerability represents a classic case of inadequate input validation that allows path traversal attacks, which aligns with CWE-23 (Relative Path Traversal) and CWE-73 (External Control of File Name or Path) classifications.

Security practitioners should consider this vulnerability in relation to ATT&CK tactics such as TA0006 (Credential Access) and TA0005 (Defense Evasion), as it enables both unauthorized access to credentials and potential evasion of security controls through compromised agent configurations. The remediation requires updating Wazuh Manager installations to versions 4.10.4 or 4.14.5 where proper path sanitization has been implemented in the authentication daemon. Organizations should also implement monitoring for unusual group assignment patterns and conduct thorough review of agent enrollment processes to detect potential exploitation attempts.

The vulnerability demonstrates a fundamental security principle that input validation must occur at multiple layers within a system architecture, particularly when handling user-provided data that will be used in file system operations. Effective mitigation strategies include implementing strict path validation routines that reject any input containing directory traversal sequences, employing proper access controls for sensitive configuration files, and establishing comprehensive monitoring of agent enrollment activities. This case highlights the importance of secure coding practices and the necessity of thorough security testing, particularly for authentication and authorization components that handle user inputs in security-critical systems. The fix implemented in subsequent versions demonstrates proper remediation through input sanitization and path validation mechanisms that prevent unauthorized directory traversal operations within the Wazuh Manager's file system access controls.

This vulnerability represents a significant risk to organizations relying on Wazuh for threat detection and response, as it could allow attackers to compromise not just individual agents but potentially the entire security monitoring infrastructure. The impact extends beyond immediate credential theft to include potential disruption of security operations and loss of integrity in threat detection capabilities. Organizations should prioritize immediate patching of affected systems and implement additional monitoring controls to detect similar path traversal attempts in other components of their security infrastructure, ensuring comprehensive protection against this class of vulnerability that continues to be prevalent in security systems worldwide.

Responsible

GitHub M

Reservation

04/06/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00242

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!