CVE-2026-33466
Published: 08 April 2026
Summary
CVE-2026-33466 is a high-severity Path Traversal (CWE-22) vulnerability in Elastic Logstash. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the path traversal flaw in Logstash through application of vendor-provided security patches.
Requires validation of file paths within extracted archives to enforce restrictions and prevent relative path traversal attacks.
Verifies integrity of archives from update endpoints to block specially crafted malicious files that exploit the improper path limitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-33466 allows unauthenticated remote attackers (AV:N/PR:N) to perform path traversal during archive extraction via a network-accessible update endpoint, enabling arbitrary file writes and RCE, directly mapping to exploitation of a public-facing application.
NVD Description
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file…
more
paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Deeper analysisAI
CVE-2026-33466 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22) in Logstash, stemming from archive extraction utilities that fail to properly validate file paths within compressed archives. This flaw enables relative path traversal (CAPEC-139), potentially leading to arbitrary file writes and remote code execution. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint. A successful attack allows writing arbitrary files to the host filesystem using the privileges of the Logstash process. In configurations with automatic pipeline reloading enabled, this can escalate to remote code execution.
Elastic Security Advisory ESA-2026-29, available at https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816, addresses the issue with security updates for Logstash versions including 8.19.4, 9.2.8, and 9.3.3. Security practitioners should review the advisory and apply the patches to mitigate the vulnerability.
Details
- CWE(s)