Critical Fluentd Vulnerabilities Enable RCE, SSRF, DoS Attacks
Fluentd, the widely deployed open-source data collector used for unified logging across cloud-native environments, has disclosed several high-impact security vulnerabilities.
These flaws could allow attackers to achieve remote code execution (RCE), server-side request forgery (SSRF), denial-of-service (DoS) conditions, and exposure of sensitive credentials.
The issues, documented across multiple GitHub Security Advisories, affect all Fluentd versions up to 1.19.2 and have been patched in version 1.19.3.
Given Fluentd’s extensive footprint in Kubernetes ecosystems, logging pipelines, and cloud-native infrastructure, these vulnerabilities present serious risk, particularly for instances exposed to untrusted networks.
Critical Fluentd Vulnerabilities patched
The most severe flaw, CVE-2026-44024, carries a maximum CVSS score of 10.0. It stems from Fluentd’s failure to validate the {tag} placeholder used in dynamic file path construction. Attackers can inject path-traversal sequences, such as../../../, into log tags, enabling arbitrary file writes or overwrites.
When combined with permissive configurations, this can lead to a full system compromise; attackers could modify sensitive files, inject malicious plugins, or alter Fluentd’s configuration. Critically, the vulnerability requires no authentication and is remotely exploitable wherever log input endpoints are exposed.
CVE-2026-44025 affects the Monitor Agent plugin (in_monitor_agent), which exposes internal plugin state through a REST API. This API unintentionally leaks sensitive data including API keys, database credentials, and cloud tokens stored in plugin instance variables.
If the monitoring endpoint (default port 24220) is externally reachable, attackers can retrieve these secrets in plaintext without any authentication, significantly raising the risk of lateral movement and downstream data breaches.
CVE-2026-44160 targets gzip decompression handling in the in_http and in_forward plugins. By sending specially crafted compressed payloads, attackers can trigger excessive memory allocation during decompression, causing process crashes or out-of-memory termination.
This directly disrupts log ingestion pipelines and observability across affected infrastructure. CVE-2026-44161 is an SSRF vulnerability in the out_http plugin, where placeholder expansion allows attackers to manipulate outbound request destinations.
This could enable access to internal services or cloud metadata endpoints, potentially exposing sensitive credentials or facilitating further network compromise.
A legacy issue, CVE-2022-39379, also remains relevant in certain deployments. It involves insecure deserialization leading to RCE when the non-default configuration FLUENT_OJ_OPTION_MODE=object is enabled, allowing crafted JSON payloads to execute arbitrary code.
- CVE-2026-44024 – Critical RCE via path traversal in {tag} placeholder, enabling arbitrary file write (CVSS 10.0)
- CVE-2026-44025 – Sensitive credential exposure via unauthenticated Monitor Agent API (CVSS 7.5+)
- CVE-2026-44160 – DoS via gzip decompression bomb causing memory exhaustion (CVSS 7.5+)
- CVE-2026-44161 – SSRF via dynamic endpoint manipulation in out_http plugin (CVSS 6.5+)
- CVE-2022-39379 – RCE via insecure deserialization in non-default configurations
Mitigation
Security experts strongly urge organizations to upgrade to Fluentd version 1.19.3 immediately. Additional hardening steps include restricting network exposure of Fluentd ports (especially the Monitor Agent’s port 24220), avoiding untrusted input in placeholder fields, enforcing strict input validation across all plugins, and running Fluentd services with least-privilege permissions to limit blast radius in case of exploitation.
No Comment! Be the first one.