Skip to main content

Logstash EUVDEUVD-2026-20526

| CVE-2026-33466 HIGH
Path Traversal (CWE-22)
2026-04-08 elastic GHSA-w3rv-2cr7-p2wh
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 21, 2026 - 23:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20526
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 16:50 nvd
HIGH 8.1

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.

AnalysisAI

Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.

Technical ContextAI

This vulnerability affects the archive extraction subsystem in Elastic Logstash (CPE: cpe:2.3:a:elastic:logstash), specifically versions 8.0.0 through 8.19.13. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. Logstash's archive handling code fails to sanitize file paths embedded within compressed archives (e.g., ZIP, TAR), allowing relative path sequences like '../../../' to escape intended extraction directories. This vulnerability maps to CAPEC-139 (Relative Path Traversal) attack pattern. The attack surface is the update endpoint mechanism where Logstash retrieves and extracts plugin archives or configuration updates. When Logstash processes a malicious archive containing traversal sequences, files are written outside the designated directory with the privileges of the Logstash service account. In deployments with automatic pipeline reloading enabled (a common configuration for dynamic pipeline management), attackers can overwrite pipeline configuration files (*.conf) to inject arbitrary code executed by the Logstash JRuby runtime, achieving full remote code execution.

RemediationAI

Upgrade immediately to Logstash version 8.19.14 or later, which addresses the path traversal vulnerability in archive extraction utilities per vendor advisory ESA-2026-29 (https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816). Organizations unable to apply patches immediately should implement compensating controls: disable automatic plugin updates and configure Logstash to only accept plugins from cryptographically verified internal repositories; disable automatic pipeline reloading if not operationally required to prevent file write escalation to RCE; implement network segmentation to restrict Logstash update traffic to trusted internal sources only; monitor file system activity for unexpected writes outside Logstash installation directories; and verify integrity of existing pipeline configurations and plugins if compromise is suspected. Review and harden update endpoint configurations to ensure mutual TLS authentication and certificate pinning for all plugin repository communications.

CVE-2019-7612 CRITICAL
9.8 Mar 25

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. Rat

CVE-2017-14730 HIGH
7.8 Sep 25

The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls fo

CVE-2014-4326 HIGH
7.5 Jul 22

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a cra

CVE-2016-1000221 HIGH
7.5 Jun 16

Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could co

CVE-2015-5378 HIGH
7.5 Jun 27

Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwa

CVE-2016-10363 HIGH
7.5 Jun 16

Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5,

CVE-2016-1000222 HIGH
7.5 Jun 16

Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas

CVE-2019-7620 HIGH
7.5 Oct 30

Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. Rated high

CVE-2015-4152 MEDIUM
6.4 Jun 15

Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attacke

CVE-2018-3817 MEDIUM
6.5 Mar 30

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log

CVE-2015-5619 MEDIUM
5.9 Aug 09

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SS

CVE-2023-46672 MEDIUM
5.5 Nov 15

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstanc

Share

EUVD-2026-20526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy