CVE-2026-33466

CVSS Score & Metrics

Base Score

8.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 10, 2026

CWE ID

CWE-22

Source

NVD

Vendor

Elastic

Product

Logstash

External References

https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment