Cyber Resilience

CVE-2026-33466

High

Published: 08 April 2026

Published
08 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33466 is a high-severity Path Traversal (CWE-22) vulnerability in Elastic Logstash. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33466 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22) in Logstash, stemming from archive extraction utilities that fail to properly validate file paths within compressed archives. This flaw enables relative path traversal (CAPEC-139), potentially leading to arbitrary file writes and remote code execution. Published on 2026-04-08, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires an attacker to serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint. A successful attack allows writing arbitrary files to the host filesystem using the privileges of the Logstash process. In configurations with automatic pipeline reloading enabled, this can escalate to remote code execution.

Elastic Security Advisory ESA-2026-29, available at https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816, addresses the issue with security updates for Logstash versions including 8.19.4, 9.2.8, and 9.3.3. Security practitioners should review the advisory and apply the patches to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file…

more

paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-33466 allows unauthenticated remote attackers (AV:N/PR:N) to perform path traversal during archive extraction via a network-accessible update endpoint, enabling arbitrary file writes and RCE, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42398Same vendor: Elastic
CVE-2025-25015Same vendor: Elastic
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22

Affected Assets

elastic
logstash
8.0.0 — 8.19.14 · 9.0.0 — 9.2.8 · 9.3.0 — 9.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the path traversal flaw in Logstash through application of vendor-provided security patches.

prevent

Requires validation of file paths within extracted archives to enforce restrictions and prevent relative path traversal attacks.

preventdetect

Verifies integrity of archives from update endpoints to block specially crafted malicious files that exploit the improper path limitation.

References