CVE-2026-9559: High-severity RCE in Wazuh DistributedAPI
| Field | Value |
|---|---|
| CVE ID | CVE-2026-9559 |
| CVSS v3.1 | 8.8 High |
| Attack vector | Network |
| Auth required | Yes, low privileges required |
| Patch status | Fixed in Wazuh 4.13.1 |
TL;DR - Wazuh DistributedAPI has an authenticated RCE caused by unsafe deserialization. - Affects Wazuh 4.4.0 through 4.13.0; upgrade to 4.13.1. - Public PoC is referenced by NVD; no CISA KEV-confirmed in-the-wild exploitation currently.
What defenders need to know first
CVE-2026-9559 is a high-severity remote code execution vulnerability in Wazuh DistributedAPI (DAPI). According to the NVD description, Wazuh before 4.13.1 allows deserialization of arbitrary class types and execution of arbitrary Python code because the prior fix for CVE-2025-24016 was incomplete. The vulnerable behavior involves an attacker injecting an unsanitized dictionary into DAPI requests or responses.
The most practical version range currently supported by the available references is Wazuh 4.4.0 through 4.13.0, with 4.13.1 and later fixed. This matters because Wazuh is a security platform and often sits in a privileged monitoring or control role. An RCE in that position can quickly become more than a single-host problem, especially in centralized or clustered deployments.
Who is affected
The affected product is Wazuh, specifically the DistributedAPI functionality. Based on the NVD CPE data and the GitHub advisory information cited in the research note, the vulnerable range is best stated as 4.4.0 through 4.13.0, while the broader NVD statement says before 4.13.1. In practice, defenders should treat any Wazuh deployment running 4.4.0 to 4.13.0 as exposed until verified otherwise.
The fixed version is Wazuh 4.13.1. If you do not yet know which version is deployed, assume exposure until you confirm the package version on all manager and related nodes. That conservative assumption is justified here because the attack is network reachable, requires only low privileges, and does not require user interaction.
Why this vulnerability matters
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which tells defenders several important things. First, the issue is reachable over the network and is not dependent on social engineering. Second, exploitation complexity is low. Third, the attacker does need credentials or an already established low-privilege foothold, but not administrative rights.
The resulting impact is severe across confidentiality, integrity, and availability. Successful exploitation can lead to arbitrary Python code execution on the Wazuh server. In real operations, that can mean tampering with telemetry, interfering with detection logic, accessing monitored data, pivoting deeper into management infrastructure, or using the compromised server as a staging point for lateral movement.
Exploitation status and attacker prerequisites
There is public exploit/PoC material referenced by NVD, specifically a GitHub repository listed as an exploit source. That means defenders should not treat this as a theoretical bug. A public PoC typically lowers the barrier for copycat exploitation, increases scanning activity, and shortens the time between disclosure and opportunistic attacks.
At the same time, there is no CISA KEV-confirmed in-the-wild exploitation signal as of the research date, because the CVE is not listed in the Known Exploited Vulnerabilities catalog. That does not mean exploitation is impossible or absent; it only means there is no KEV-backed confirmation available from that source. In the absence of authoritative telemetry, defenders should assume the combination of a public PoC and a low-complexity authenticated RCE makes this vulnerability operationally important.
Affected and fixed versions
| Status | Versions |
|---|---|
| Affected | Wazuh 4.4.0 through 4.13.0 |
| Broad NVD wording | Wazuh before 4.13.1 |
| Fixed | Wazuh 4.13.1 and later |
The most defensible phrasing is to cite both the specific advisory-backed range and the broader NVD language. For asset owners, the practical decision is simple: if the deployment is not on 4.13.1 or later, plan remediation immediately. If version visibility is incomplete, prioritize external-facing and centrally managed Wazuh instances first.
Because the issue stems from an incomplete prior fix, teams that already responded to CVE-2025-24016 should verify they did not stop at an intermediate state. A system that was “previously patched” may still be vulnerable if it was not actually upgraded to the final fixed version for this follow-on flaw.
Technical deep dive
The core issue is CWE-502: Deserialization of Untrusted Data. Available references indicate the earlier fix for CVE-2025-24016 did not fully sanitize attacker-controlled dictionary structures in DAPI requests or responses. That left room for arbitrary class reconstruction and Python code execution through unsafe handling of serialized data.
The patch information referenced in the research note suggests several important implementation changes: validation of dictionary keys as well as values, sanitation of nested structures before deserialization, and replacement of risky parsing behavior using eval() with the safer ast.literal_eval(). Those changes align with a common secure-coding pattern: do not treat attacker-controlled structured data as executable or reconstructible object state without strict type and content validation.
Technical Notes
Patch/advisory references:
GitHub Security Advisory: GHSA-hcrc-cqqq-8p56
Patch commit: 3aadee6d1f3115961036c68b11ca056665e23bc0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9559
Defenders reviewing source changes or internal code forks should look for code paths involving object reconstruction, deserialization, and dynamic evaluation in DAPI handling. The important security question is whether any user-influenced request or response field can still reach unsafe parsing or object instantiation logic after patching.
Detection and hunting guidance
Detection is harder than patching here because public technical details do not include a complete vendor-published set of indicators of compromise. The root problem is unsafe deserialization in DAPI request and response handling, with available notes indicating improved sanitization of dictionary keys and nested structures plus replacement of eval() with ast.literal_eval() in relevant parsing. That suggests defenders should focus on unexpected DAPI activity, failed parsing or exception traces, and post-exploitation process behavior on Wazuh servers.
If you do not have application-specific detections for DAPI, start with a layered approach: monitor authentication and API usage by low-privilege accounts, inspect manager logs for anomalies near DAPI handling, and correlate unusual outbound network activity or child process execution from Wazuh service processes. Since exact log field names can vary by deployment and package layout, defenders should baseline normal DAPI usage first and treat deviations as suspicious until disproven.
Technical Notes
Example host-based hunting ideas for Linux Wazuh servers:
# Check installed Wazuh package version
dpkg -l | grep -i wazuh
rpm -qa | grep -i wazuh
# Review recent Wazuh-related logs for DAPI/API errors or Python exceptions
grep -RiE 'dapi|distributedapi|traceback|exception|literal_eval|eval' /var/ossec/logs/ /var/log/ 2>/dev/null
# Hunt for suspicious child processes spawned from Python or Wazuh-related services
ps -ef --forest | grep -Ei 'wazuh|python'
Concrete log and detection patterns to test:
Possible log keywords to search:
- dapi
- DistributedAPI
- Traceback
- exception
- ast.literal_eval
- eval
- unsanitized
- dictionary
Example Splunk search for broad anomaly hunting on Wazuh servers:
index=* (host=<wazuh_server> OR sourcetype=syslog)
("dapi" OR "DistributedAPI" OR "Traceback" OR "exception")
| stats count by host, source, sourcetype
Example Sigma-style concept for suspicious process execution from the Wazuh service context:
title: Suspicious Child Process From Wazuh Service
logsource:
product: linux
category: process_creation
detection:
selection_parent:
ParentImage|contains:
- "wazuh"
- "python"
selection_child:
Image|endswith:
- "/bash"
- "/sh"
- "/curl"
- "/wget"
- "/nc"
condition: selection_parent and selection_child
level: high
These are defensive heuristics, not vendor-confirmed IOCs. If you lack direct evidence of exploit telemetry, assume attempts may appear first as generic parsing failures, abnormal API behavior, or shell-like child process execution from a service that normally should not spawn them.
Mitigation and patching
The primary mitigation is to upgrade Wazuh to 4.13.1 or later. Because the vulnerability is tied to deserialization logic and an incomplete prior fix, compensating controls are weaker than a full version update. Restricting access helps, but it does not remove the vulnerable code path if an attacker already has valid low-privilege access.
If you cannot patch immediately, reduce exposure around DAPI-capable components and low-privilege authenticated users. Review which accounts can interact with the vulnerable management plane, enforce network segmentation around Wazuh manager infrastructure, and tighten monitoring for any account that should not normally interact with DistributedAPI paths. Also review whether internet exposure or broad east-west reachability unnecessarily increases attack surface.
Technical Notes
Upgrade commands will depend on platform and repository configuration. Because package names and repository setup can vary, verify against your deployment standard before executing in production.
Debian/Ubuntu-style environments:
sudo apt update
sudo apt install --only-upgrade wazuh-manager
RHEL/CentOS/Alma/Rocky-style environments:
sudo yum update wazuh-manager
# or on newer distributions
sudo dnf upgrade wazuh-manager
After upgrade, verify the installed version is 4.13.1 or later:
dpkg -l | grep -i wazuh-manager
rpm -q wazuh-manager
If upgrade must be delayed, use a temporary containment approach:
# Example: restrict access to management/API interfaces at the host firewall
sudo iptables -A INPUT -p tcp -s <trusted_admin_subnet> --dport <wazuh_port> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <wazuh_port> -j DROP
The exact port and service mapping should be validated in your environment. If that information is unclear, do not guess in production. Instead, inventory listening ports on the Wazuh server and restrict management-plane access to known administration networks only:
sudo ss -lntp
What to do next
First, identify every Wazuh manager or related node running 4.4.0 through 4.13.0 and prioritize upgrade to 4.13.1. Second, review low-privilege accounts and any integrations that can reach DAPI-related functionality. Third, add short-term detections for anomalous DAPI usage, parsing errors, and suspicious child processes from Wazuh service contexts.
Finally, treat this as a platform-trust issue, not just another application bug. Wazuh often occupies a high-value operational role. Even without KEV confirmation, a public PoC for an authenticated network RCE in a security management product warrants urgent remediation and post-patch verification.
References
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-9559
- GitHub Security Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-cqqq-8p56
- Patch commit: https://github.com/wazuh/wazuh/commit/3aadee6d1f3115961036c68b11ca056665e23bc0
- Public PoC repository referenced by NVD: https://github.com/MuhammadWaseem29/CVE-2026-9559
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-9559
For further reading on how attackers use open source intelligence, check our OSINT FAQ. Additionally, understanding the Common Vulnerability Scoring System (CVSS) can be beneficial; learn more in our CVSS glossary.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.