Introduction
A path traversal flaw in Logstash's GeoIP database extraction logic allows an attacker to write arbitrary files to the host filesystem, and under the right conditions, escalate that to remote code execution within seconds. Because the vulnerable GeoIP downloader feature is enabled by default in Logstash, any instance that has not been explicitly hardened against this vector is potentially exposed.
Technical Information
The root cause of CVE-2026-33466 is a failure to validate file paths during archive extraction in Logstash's GeoIP database management subsystem. This is a textbook "Zip Slip" vulnerability (classified under CWE-22 and CAPEC-139). When Logstash downloads and extracts a compressed GeoIP database archive, the extraction logic does not check whether the resolved output paths for individual archive entries remain within the intended target directory. An archive containing entries with relative path traversal sequences (e.g., ../../etc/cron.d/malicious) can escape the extraction boundary and place files anywhere the Logstash process has write access.
The Delivery Vector: GeoIP Database Downloads
Logstash includes a built-in GeoIP database management feature controlled by the xpack.geoip.downloader.enabled setting, which defaults to true. When active, Logstash periodically fetches updated GeoIP2 databases from the endpoint specified in xpack.geoip.downloader.endpoint (defaulting to https://geoip.elastic.co/v1/database). This polling occurs every 24 hours by default, governed by xpack.geoip.downloader.poll.interval.
An attacker who compromises this endpoint, intercepts the download traffic via a man-in-the-middle position, or manipulates DNS routing to redirect the request can serve a specially crafted archive in place of the legitimate GeoIP database update.
Attack Flow
-
The attacker gains the ability to serve a malicious archive to the Logstash GeoIP downloader. This could be achieved by compromising the update endpoint, performing DNS hijacking, or exploiting a network position that allows traffic interception.
-
Logstash downloads the crafted archive during its next scheduled polling cycle.
-
The archive extraction utility processes the archive without validating the paths of its entries. Entries containing relative path traversal sequences write files to arbitrary locations on the host filesystem, running with the full privileges of the Logstash process.
-
If
config.reload.automaticis enabled (it defaults tofalse), Logstash monitors its pipeline configuration files for changes every 3 seconds (controlled byconfig.reload.interval). The attacker can target a pipeline configuration file with the arbitrary write, injecting a malicious pipeline definition. -
Logstash detects the configuration change and automatically reloads the modified pipeline, executing the attacker's code within seconds of the file write.
Configuration Settings and Risk Context
The following table summarizes the settings relevant to this vulnerability:
| Setting | Default Value | Risk Context |
|---|---|---|
xpack.geoip.downloader.enabled | true | Enables the automatic download mechanism that serves as the delivery vector |
xpack.geoip.downloader.endpoint | https://geoip.elastic.co/v1/database | The URL from which archives are fetched; compromise enables the attack |
xpack.geoip.downloader.poll.interval | 24h | Determines how frequently Logstash fetches new archives |
config.reload.automatic | false | When enabled, creates the escalation path from file write to RCE |
config.reload.interval | 3s | Controls how quickly a modified configuration file is detected and loaded |
The asymmetry between the 24 hour download interval and the 3 second reload interval is notable: the delivery window is narrow (once per day by default), but once a malicious payload lands, the escalation to code execution happens almost instantly.
Patch Information
Elastic addressed CVE-2026-33466 through coordinated version releases across all three active Logstash release branches on April 8, 2026:
| Release Branch | Fixed Version |
|---|---|
| 8.x | 8.19.14 |
| 9.2.x | 9.2.8 |
| 9.3.x | 9.3.3 |
The fix adds proper path validation during archive extraction. After the patch, the extraction logic ensures that every resolved output path remains strictly within the intended target directory, rejecting any archive entry whose path would resolve outside the designated extraction boundary. This is the standard and well understood defense against Zip Slip style attacks.
One detail worth noting for teams tracking changes: the public release notes for these versions (for example, the Logstash 8.19.14 release notes page) list only plugin dependency updates such as Netty upgrades and Log4j bumps. The security fix itself is tracked separately under Elastic Security Advisory ESA-2026-29 and is not itemized in the standard changelog. This is consistent with Elastic's practice of decoupling security fix disclosures from general release notes.
All three patched releases were published to the elastic/logstash GitHub repository on April 8, 2026 (tags v8.19.14, v9.2.8, and v9.3.3), confirming availability for immediate upgrade. No specific commit level code diffs have been disclosed publicly by Elastic for this fix.
Interim Workarounds
If immediate patching is not feasible, the following configuration changes reduce exposure:
-
Disable the GeoIP Downloader: Set
xpack.geoip.downloader.enabledtofalsein the Logstash configuration. This prevents Logstash from fetching archives from external endpoints, neutralizing the primary delivery mechanism. Note that this must be done explicitly in air gapped or offline environments as well. -
Disable Automatic Configuration Reloading: Ensure Logstash is not started with
config.reload.automaticenabled. This breaks the escalation path from arbitrary file write to remote code execution. -
Verify Endpoint Integrity: If the GeoIP downloader must remain enabled, confirm that
xpack.geoip.downloader.endpointpoints strictly to the official Elastic URL and that DNS resolution for that domain has not been tampered with.
Affected Systems and Versions
All versions of Logstash prior to the following patched releases are affected:
- Logstash versions on the 8.x branch prior to 8.19.14
- Logstash versions on the 9.2.x branch prior to 9.2.8
- Logstash versions on the 9.3.x branch prior to 9.3.3
The vulnerability is exploitable when xpack.geoip.downloader.enabled is set to true (the default). The escalation to remote code execution requires config.reload.automatic to also be enabled (defaults to false).
Vendor Security History
Elastic maintains a transparent and structured security disclosure process. The company publishes security announcements through its discussion forums and coordinates patches across multiple supported version branches simultaneously. The simultaneous release of fixes across three active branches (8.x, 9.2.x, and 9.3.x) on the same day demonstrates a mature incident response and patch management lifecycle. Security advisories are tracked under a dedicated ESA numbering scheme and are intentionally separated from general release notes.
References
- NVD Entry for CVE-2026-33466
- Elastic Security Advisory ESA-2026-29: Logstash 8.19.14, 9.2.8, 9.3.3 Security Update
- Logstash GitHub Releases
- Logstash 8.19.14 Release Notes
- Configure GeoIP Database Management (Logstash 8.19)
- Reloading the Config File (Logstash 8.19)
- Logstash Configuration File on GitHub
- Elastic Stack Overview
- Logstash Downloads
