CVE-2026-33466
Path Traversal in Logstash Archive Extraction Enables RCE
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | logstash | From 8.0.0 (inc) to 8.19.14 (exc) |
| elastic | logstash | From 9.0.0 (inc) to 9.2.8 (exc) |
| elastic | logstash | From 9.3.0 (inc) to 9.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33466 is a high-severity vulnerability in Logstash that involves improper limitation of a pathname to a restricted directory, specifically a relative path traversal flaw in the archive extraction utilities.
These utilities do not properly validate file paths within compressed archives, which allows an attacker who can supply a specially crafted archiveβusually via a compromised or attacker-controlled update endpointβto write arbitrary files to the host filesystem with the privileges of the Logstash process.
In certain configurations where automatic pipeline reloading is enabled and the pipeline configuration directory is writable by Logstash, this vulnerability can escalate to remote code execution.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write arbitrary files to your system with the privileges of the Logstash process.
If your Logstash deployment has automatic pipeline reloading enabled and writable pipeline configuration directories, the attacker could execute malicious code remotely, leading to full remote code execution.
Indicators of compromise include unexpected files outside the GeoIP database directory, unauthorized files in pipeline configuration directories, unusual GeoIP download activity from unknown endpoints, unexplained pipeline configuration changes, and file integrity monitoring alerts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Indicators of compromise for CVE-2026-33466 include unexpected files outside the GeoIP database directory, unauthorized files in pipeline configuration directories, unusual GeoIP download activity from unknown endpoints in logs, unexplained changes to pipeline configurations, and file integrity monitoring alerts for writes outside expected GeoIP data paths.
To detect this vulnerability on your system, you can:
- Check for unexpected files outside the GeoIP database directory using commands like: `find /path/to/geoip -type f` and compare with known good state.
- Look for unauthorized files in pipeline configuration directories with: `find /path/to/pipeline/config -type f`.
- Review Logstash logs for unusual GeoIP download activity from unknown endpoints, for example: `grep geoip /var/log/logstash/logstash.log | grep -v trusted-endpoint`.
- Monitor for unexplained changes to pipeline configurations by comparing current pipeline config files with backups or using file integrity monitoring tools.
- Use file integrity monitoring tools (e.g., Tripwire, AIDE) to alert on writes outside expected GeoIP data paths.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-33466 include upgrading Logstash to fixed versions 8.19.14, 9.2.8, or 9.3.3.
If upgrading immediately is not possible, recommended mitigations are:
- Disable the GeoIP database downloader by setting `xpack.geoip.downloader.enabled: false`.
- Ensure the GeoIP downloader endpoint uses HTTPS and points to a trusted source.
- Disable automatic pipeline configuration reloading to prevent execution of malicious files.
- Restrict filesystem write permissions for the Logstash process to only necessary directories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to write arbitrary files to the host filesystem with the privileges of the Logstash process, potentially leading to remote code execution. Such unauthorized access and control over system files can result in data breaches or unauthorized data manipulation.
From a compliance perspective, this poses significant risks to standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and system security. Exploitation of this vulnerability could lead to unauthorized access to sensitive personal or health data, violating these regulations.
Organizations using affected Logstash versions must mitigate this vulnerability promptly to maintain compliance, by upgrading to fixed versions or applying recommended mitigations such as disabling vulnerable features, restricting write permissions, and ensuring trusted update sources.