Platform
linux
Component
logstash
Fixed in
8.19.14
CVE-2026-33466 is an Arbitrary File Access vulnerability affecting Logstash versions 8.0.0 through 8.19.13. This flaw allows attackers to write arbitrary files to the host filesystem, potentially leading to remote code execution if automatic pipeline reloading is enabled. The vulnerability stems from improper validation of file paths within compressed archives during extraction. A fix is available in Logstash 8.19.14.
An attacker exploiting CVE-2026-33466 can leverage a specially crafted archive served through a compromised update endpoint to write arbitrary files to the Logstash host. This is particularly concerning if automatic pipeline reloading is enabled, as it could allow for remote code execution. The attacker's ability to write files grants them control over the system's filesystem, potentially enabling them to modify configuration files, inject malicious code, or escalate privileges. The blast radius extends to any system running a vulnerable Logstash instance with automatic pipeline reloading enabled, making it a significant risk for organizations relying on Logstash for data ingestion and processing.
CVE-2026-33466 was publicly disclosed on 2026-04-08. The vulnerability's nature, involving archive extraction and file writing, shares similarities with other path traversal vulnerabilities. Currently, there are no known active campaigns targeting this specific CVE, but the availability of a public description increases the likelihood of exploitation. The EPSS score is pending evaluation, but the potential for remote code execution suggests a medium to high probability of exploitation if left unpatched.
Exploit Status
EPSS
0.39% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33466 is to upgrade to Logstash version 8.19.14 or later. If upgrading immediately is not feasible, disable automatic pipeline reloading to reduce the risk of remote code execution. Consider implementing strict input validation on any update endpoints used by Logstash to prevent the ingestion of malicious archives. Network segmentation can also limit the potential impact by restricting access to Logstash instances. After upgrading, verify the fix by attempting to extract a known malicious archive and confirming that the file write is prevented.
Update Logstash to version 8.19.14 or later to mitigate the vulnerability. This update corrects the validation of file paths within compressed archives, preventing arbitrary file writes to the filesystem. See the Elastic release notes for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33466 is a HIGH severity vulnerability in Logstash versions 8.0.0–8.19.13 that allows attackers to write arbitrary files via crafted archives, potentially leading to remote code execution.
If you are running Logstash versions 8.0.0 through 8.19.13, you are potentially affected. Check your version and upgrade immediately.
Upgrade to Logstash version 8.19.14 or later. As an interim measure, disable automatic pipeline reloading.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Elastic security advisory for details: [https://www.elastic.co/security/advisories/CVE-2026-33466](https://www.elastic.co/security/advisories/CVE-2026-33466)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.