EIQ-2026-0001#

ID

EIQ-2026-0001

CVE

CVE-2026-33466

Description

Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write

Date

21 Apr 2026

Severity

3 - HIGH

CVSSv3 score

8.1

Status

Assessment

Elastic issued a high severity security advisory ESA-2026-29.

Our assessment is that Intelligence Center customers who have not modified the default values of the xpack.geoip.downloader.endpoint attribute in logstash.yml are at low risk.

Logstash (if deployed) as configured by the IC installation playbooks uses the default value for xpack.geoip.downloader.endpoint.

However, out of an abundance of caution, this advisory reflects the “high” severity set in ESA-2026-29.

The Intelligence Center itself does not use or depend on Logstash’s Geo-IP database features.

Some Intelligence Center deployments do not deploy Logstash. Check your application node to see Logstash is running by running as root systemctl status logstash. If the command tells you that the service is not found, Logstash is not running for your Intelligence Center deployment, and you are not affected.

By default, the IC installation playbooks apply Logstash configurations that leave xpack.geoip.downloader.endpoint unset. This means that Logstash then uses the default value https://geoip.elastic.co/v1/database, which mitigates this vulnerability.

However, customers may have chosen to modify this default configuration. A customer who sets xpack.geoip.downloader.endpoint to a custom URL that is untrusted or insecure could trigger the vulnerability.

We recommend that customers apply the mitigations described in ESA-2026-29.

Mitigation

Based on ESA-2026-29, Logstash configurations that fulfill these 2 conditions are affected:

  1. xpack.geoip.downloader.enabled is set to true.

  2. xpack.geoip.downloader.endpoint is explicitly set to a custom and insecure resource.

To mitigate, first check if Logstash is running on your Intelligence Center deployment. On your applicatio node, run as root: systemctl status logstash

If it is running, mitigate per Elastic’s advice. Where Logstash is running, edit the /etc/logstash/logtash.yml file and:

  1. Set xpack.geoip.downloader.enabled: false to disable it.

  2. Set xpack.geoip.downloader.endpoint to a trusted and secure URL (i.e. HTTPS).

    Or, remove xpack.geoip.downloader.endpoint entirely so that Logstash uses the default value.

Then, restart Logstash with systemctl restart logstash.

Affected versions

All IC deployments that have enabled and deployed Logstash versions 8.19.13 and older, and have explicitly set xpack.geoip.downloader.endpoint to a custom and insecure URL.

IC instances deployed with the default Logstash configuration, i.e. does not set the value of xpack.geoip.downloader.endpoint in /etc/logstash/logstash.yml, are at low risk.

EclecticIQ hosted customers are not affected. Customer clusters do not have Logstash deployed. If you do not deploy Logstash for your Intelligence Center instance, your instance is not affected.

Notes

N/A