CVE-2026-33466
Published:April 08, 2026
Updated:May 17, 2026
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Affected Packages
https://github.com/elastic/logstash.git (GITHUB):
Affected version(s) >=v8.0.0 <v8.19.14Fix Suggestion:
Update to version v8.19.14https://github.com/elastic/logstash.git (GITHUB):
Affected version(s) >=v9.0.0 <v9.2.8Fix Suggestion:
Update to version v9.2.8https://github.com/elastic/logstash.git (GITHUB):
Affected version(s) >=v9.3.0 <v9.3.3Fix Suggestion:
Update to version v9.3.3Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS
Base Score:
0.39