Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
AnalysisAI
Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.
Technical ContextAI
This vulnerability affects the archive extraction subsystem in Elastic Logstash (CPE: cpe:2.3:a:elastic:logstash), specifically versions 8.0.0 through 8.19.13. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. Logstash's archive handling code fails to sanitize file paths embedded within compressed archives (e.g., ZIP, TAR), allowing relative path sequences like '../../../' to escape intended extraction directories. This vulnerability maps to CAPEC-139 (Relative Path Traversal) attack pattern. The attack surface is the update endpoint mechanism where Logstash retrieves and extracts plugin archives or configuration updates. When Logstash processes a malicious archive containing traversal sequences, files are written outside the designated directory with the privileges of the Logstash service account. In deployments with automatic pipeline reloading enabled (a common configuration for dynamic pipeline management), attackers can overwrite pipeline configuration files (*.conf) to inject arbitrary code executed by the Logstash JRuby runtime, achieving full remote code execution.
RemediationAI
Upgrade immediately to Logstash version 8.19.14 or later, which addresses the path traversal vulnerability in archive extraction utilities per vendor advisory ESA-2026-29 (https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816). Organizations unable to apply patches immediately should implement compensating controls: disable automatic plugin updates and configure Logstash to only accept plugins from cryptographically verified internal repositories; disable automatic pipeline reloading if not operationally required to prevent file write escalation to RCE; implement network segmentation to restrict Logstash update traffic to trusted internal sources only; monitor file system activity for unexpected writes outside Logstash installation directories; and verify integrity of existing pipeline configurations and plugins if compromise is suspected. Review and harden update endpoint configurations to ensure mutual TLS authentication and certificate pinning for all plugin repository communications.
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. Rat
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls fo
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a cra
Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could co
Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwa
Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5,
Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. Rated high
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attacke
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SS
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstanc
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20526
GHSA-w3rv-2cr7-p2wh