{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/logstash/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-33466"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","remote-code-execution","logstash"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33466 exposes a critical vulnerability in Logstash, stemming from improper validation of file paths within compressed archives. This flaw, classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), can be exploited by an attacker to achieve arbitrary file writes on the host system. The attack vector involves serving a specially crafted archive to Logstash, typically through a compromised or attacker-controlled update endpoint. This malicious archive contains file paths designed to traverse directories, allowing the attacker to write files outside of the intended Logstash directories with the privileges of the Logstash process. If Logstash is configured with automatic pipeline reloading, this arbitrary file write can be leveraged to execute arbitrary code, effectively achieving remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Logstash instance with a vulnerable version of the archive extraction utility and a potential attack vector via update endpoints.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious compressed archive containing files with relative path traversal sequences in their filenames (e.g., \u0026ldquo;../../path/to/malicious/file.conf\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAttacker compromises or controls an update endpoint used by Logstash to retrieve updates, such as pipeline configurations or plugins.\u003c/li\u003e\n\u003cli\u003eLogstash retrieves the malicious archive from the compromised update endpoint.\u003c/li\u003e\n\u003cli\u003eLogstash extracts the contents of the archive using a vulnerable archive extraction utility.\u003c/li\u003e\n\u003cli\u003eDue to insufficient path validation, the utility writes the files to arbitrary locations on the filesystem, overwriting existing files or creating new ones. A common target could be Logstash\u0026rsquo;s configuration directory.\u003c/li\u003e\n\u003cli\u003eIf automatic pipeline reloading is enabled, Logstash detects the modified configuration file and reloads the pipeline.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration file contains embedded code that executes arbitrary commands on the system with the privileges of the Logstash process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33466 can lead to complete compromise of the Logstash server. An attacker can gain arbitrary code execution, allowing them to install malware, steal sensitive data, or disrupt services. The CVSS v3.1 base score of 8.1 reflects the high potential for damage. While the number of potential victims and targeted sectors are unknown, any organization using a vulnerable Logstash instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Logstash that addresses CVE-2026-33466 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any update endpoints used by Logstash to prevent the delivery of malicious archives.\u003c/li\u003e\n\u003cli\u003eDisable automatic pipeline reloading in Logstash if possible, or implement controls to verify the integrity of pipeline configurations before reloading.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Logstash Path Traversal Archive Extraction\u003c/code\u003e to detect potential exploitation attempts by monitoring for suspicious file creation events.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files created outside of the intended Logstash directories using the \u003ccode\u003eDetect Logstash Out-of-Directory File Creation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T18:26:00Z","date_published":"2026-04-08T18:26:00Z","id":"/briefs/2024-01-24-logstash-path-traversal/","summary":"CVE-2026-33466 describes a vulnerability in Logstash where improper validation of file paths within compressed archives allows arbitrary file writes, potentially leading to remote code execution.","title":"Logstash Arbitrary File Write via Path Traversal (CVE-2026-33466)","url":"https://feed.craftedsignal.io/briefs/2024-01-24-logstash-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Logstash","version":"https://jsonfeed.org/version/1.1"}