#VU125552 Path traversal in Logstash - CVE-2026-33466
Published: April 9, 2026
Vulnerability identifier: #VU125552
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-33466
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Logstash
Logstash
Software vendor:
Elastic Stack
Elastic Stack
Description
The vulnerability allows a remote attacker to write arbitrary files and potentially execute arbitrary code.
The vulnerability exists due to path traversal in archive extraction utilities when processing a specially crafted archive from an external update endpoint. A remote attacker can serve a specially crafted archive to write arbitrary files and potentially execute arbitrary code.
Only deployments with the GeoIP database downloader enabled and configured to use an external update endpoint are affected. In certain configurations, exploitation can be escalated when automatic pipeline configuration reloading is enabled and the pipeline configuration directory is writable by the Logstash process.
Remediation
Install security update from vendor's website.