{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33466", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2026-03-20T10:53:23.100Z", "datePublished": "2026-04-08T16:50:42.186Z", "dateUpdated": "2026-04-10T03:56:01.015Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Logstash", "vendor": "Elastic", "versions": [{"lessThanOrEqual": "8.19.13", "status": "affected", "version": "8.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution."}], "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:50:42.186Z"}, "references": [{"url": "https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816"}], "source": {"discovery": "Elastic"}, "title": "Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write", "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33466"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T03:56:01.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T19:12:46.486593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:13:04.010Z"}}], "cna": {"title": "Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write", "source": {"discovery": "Elastic"}, "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Logstash", "versions": [{"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.19.13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816"}], "x_generator": {"engine": "Elastic CVE Publisher 0.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2026-04-08T16:50:42.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33466", "state": "PUBLISHED", "dateUpdated": "2026-04-10T03:56:01.015Z", "dateReserved": "2026-03-20T10:53:23.100Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2026-04-08T16:50:42.186Z", "assignerShortName": "elastic"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "matchCriteriaId": "55DBE8FA-7310-4495-974D-98C32189B038", "versionEndExcluding": "8.19.14", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "matchCriteriaId": "00CAA64C-2749-427D-B403-5A42B6ABBB1F", "versionEndExcluding": "9.2.8", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "matchCriteriaId": "55ADA858-5D32-4C8A-865B-BD386A9615B7", "versionEndExcluding": "9.3.3", "versionStartIncluding": "9.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution."}], "id": "CVE-2026-33466", "lastModified": "2026-04-21T23:14:06.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@elastic.co", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T18:26:00.557", "references": [{"source": "security@elastic.co", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816"}], "sourceIdentifier": "security@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@elastic.co", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.19.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Logstash", "source": "cna", "vendor": "Elastic"}, "product": "logstash", "vendor": "elastic"}], "analysis": {"en": {"generated_at": "2026-04-08T18:51:53.222096+00:00", "value": {"mitigation_remediation": ["Apply the latest Logstash update (8.19.14 or newer) to incorporate the vendor fix.", "If an immediate update is not possible, disable automatic pipeline reloading during the interim period.", "Restrict update endpoints to trusted sources and validate update integrity before deployment.", "Review file\u2011system permissions to ensure Logstash runs with the least privileges necessary.", "Monitor Logstash logs for unusual archive extraction activity and investigate any anomalies promptly."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution via arbitrary file write"}, "threat_synthesis": {"affected_systems": "Elastic Logstash is affected. No specific product version information is supplied in the advisory, so all deployed Logstash instances should be inspected for recent update controls. The vulnerability exists wherever the archive extraction utilities are used without proper path validation.", "description_and_impact": "Improper limitation of pathname within Logstash when extracting compressed archives allows an attacker to craft a specially formed archive that writes files outside the intended directory. This lack of validation results in arbitrary file write and, in configurations with automatic pipeline reloading, can be escalated to execution of malicious code on the host. The weakness maps to CWE\u201122, relative path traversal (CAPEC\u2011139).", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. EPSS data is not available, and the flaw is not yet listed in CISA\u2019s KEV catalog, implying it may not yet be widely exploited. However, the attack requires an attacker to supply a crafted archive through a compromised or attacker\u2011controlled update endpoint, a mistake that is relatively easy to satisfy if the update channel is not tightly secured. Once the malicious archive is ingested, Logstash writes files with its own ownership, giving the attacker full access to the host filesystem where an automated pipeline reload could trigger arbitrary code execution. This combination of high severity, straightforward exploitation path, and potential for system\u2011wide compromise results in a high overall risk."}}}}, "created": "2026-04-08T19:26:43.541307+00:00", "updated": "2026-04-08T19:38:59.430570+00:00", "vendors": ["elastic", "elastic$PRODUCT$logstash"]}