EUVD-2026-20526
GHSA-w3rv-2cr7-p2wh
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Analysis
Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Logstash instances running versions 8.0.0-8.19.13 in your environment and disable automatic pipeline reloading via configuration. Within 7 days: Isolate affected Logstash servers from untrusted networks and restrict access to update endpoints; monitor Logstash logs for suspicious archive processing or file writes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today