CVE-2026-33466

High

Published: 08 April 2026

Published

08 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0040 61.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file…

paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the path traversal flaw in Logstash through application of vendor-provided security patches.

SI-10 Information Input Validation good match

prevent

Requires validation of file paths within extracted archives to enforce restrictions and prevent relative path traversal attacks.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Verifies integrity of archives from update endpoints to block specially crafted malicious files that exploit the improper path limitation.

Security SummaryAI

CVE-2026-33466 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22) in Logstash, stemming from archive extraction utilities that fail to properly validate file paths within compressed archives. This flaw enables relative path traversal (CAPEC-139), potentially leading to arbitrary file writes and remote code execution. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires an attacker to serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint. A successful attack allows writing arbitrary files to the host filesystem using the privileges of the Logstash process. In configurations with automatic pipeline reloading enabled, this can escalate to remote code execution.

Elastic Security Advisory ESA-2026-29, available at https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816, addresses the issue with security updates for Logstash versions including 8.19.4, 9.2.8, and 9.3.3. Security practitioners should review the advisory and apply the patches to mitigate the vulnerability.

Details

CWE(s): CWE-22

Affected Products

elastic

logstash

8.0.0 — 8.19.14 · 9.0.0 — 9.2.8 · 9.3.0 — 9.3.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-33466 allows unauthenticated remote attackers (AV:N/PR:N) to perform path traversal during archive extraction via a network-accessible update endpoint, enabling arbitrary file writes and RCE, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816
Mitigation, Vendor Advisory · security@elastic.co