CVE-2026-33466
published 2026-04-08CVE-2026-33466: Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.55%
41.5th percentile
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | logstash | >= 8.0.0 < 8.19.14 | 8.19.14 |
| elastic | logstash | 8.0.0 – 8.19.13 | — |
| elastic | logstash | >= 9.0.0 < 9.2.8 | 9.2.8 |
| elastic | logstash | >= 9.3.0 < 9.3.3 | 9.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for path traversal sequences (e.g., '../') within compressed archive files being processed by Logstash, which may indicate a crafted archive attempting to write files outside the intended extraction directory. ↗
- →Monitor Logstash process for unexpected file write operations outside its working/data directories, especially to sensitive filesystem paths, which could indicate exploitation of this path traversal vulnerability. ↗
- →If automatic pipeline reloading is enabled, monitor for unexpected or newly written pipeline configuration files followed by pipeline reload events, as this configuration can escalate arbitrary file write to remote code execution. ↗
- ·Automatic pipeline reloading being enabled in Logstash significantly elevates the risk from arbitrary file write to full remote code execution. Audit and disable this feature if not required. ↗
- ·The attack vector requires the attacker to control or compromise the update endpoint serving archives to Logstash. Environments where Logstash fetches archives from external or untrusted sources are at elevated risk. ↗
- ·No public exploit is currently available and no fix has been added as of April 9, 2026. Affected package is cpe:2.3:a:elastic:logstash. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-04-08
Published