Description
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Published: 2026-04-08
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution via arbitrary file write
Action: Patch Now
AI Analysis

Impact

Improper limitation of pathname within Logstash when extracting compressed archives allows an attacker to craft a specially formed archive that writes files outside the intended directory. This lack of validation results in arbitrary file write and, in configurations with automatic pipeline reloading, can be escalated to execution of malicious code on the host. The weakness maps to CWE‑22, relative path traversal (CAPEC‑139).

Affected Systems

Elastic Logstash is affected. No specific product version information is supplied in the advisory, so all deployed Logstash instances should be inspected for recent update controls. The vulnerability exists wherever the archive extraction utilities are used without proper path validation.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS data is not available, and the flaw is not yet listed in CISA’s KEV catalog, implying it may not yet be widely exploited. However, the attack requires an attacker to supply a crafted archive through a compromised or attacker‑controlled update endpoint, a mistake that is relatively easy to satisfy if the update channel is not tightly secured. Once the malicious archive is ingested, Logstash writes files with its own ownership, giving the attacker full access to the host filesystem where an automated pipeline reload could trigger arbitrary code execution. This combination of high severity, straightforward exploitation path, and potential for system‑wide compromise results in a high overall risk.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Logstash update (8.19.14 or newer) to incorporate the vendor fix.
  • If an immediate update is not possible, disable automatic pipeline reloading during the interim period.
  • Restrict update endpoints to trusted sources and validate update integrity before deployment.
  • Review file‑system permissions to ensure Logstash runs with the least privileges necessary.
  • Monitor Logstash logs for unusual archive extraction activity and investigate any anomalies promptly.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic logstash
Vendors & Products Elastic
Elastic logstash

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Title Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elastic Logstash
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-04-08T19:22:26.182Z

Reserved: 2026-03-20T10:53:23.100Z

Link: CVE-2026-33466

cve-icon Vulnrichment

Updated: 2026-04-08T19:13:04.010Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:26:00.557

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:38:59Z

Weaknesses