CVE-2026-44024
Ruby Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-44024 is a path traversal vulnerability in Fluentd that enables unauthenticated remote attackers to write arbitrary files, which can be escalated to full Remote Code Execution (RCE). The flaw exists in Fluentd's ${tag} placeholder used for dynamically constructing file paths, where insufficient validation allows injection of path traversal sequences (e.g., ../). All versions up to and including 1.19.2 are affected; the issue was disclosed and patched on June 26, 2026 with the release of v1.19.3. It carries a CVSS v3.1 base score of 9.8 (Critical) (GitHub Advisory, Fluentd Release).

Détails techniques

The root cause is insufficient input validation of the ${tag} placeholder when constructing file paths in output plugins such as out_file (CWE-22: Path Traversal; CWE-94: Code Injection). When Fluentd is configured to accept logs from untrusted sources and uses ${tag} in the path parameter, an attacker can craft a log tag containing ../ sequences to escape the intended output directory. Combined with certain formatting options, this allows the attacker to write attacker-controlled content to arbitrary filesystem locations, including sensitive system files or Fluentd plugin directories. The fix was implemented in PR #5391 (output: enforce strict path boundary validation for tag) included in v1.19.3 (GitHub Advisory, Fluentd Release).

Impact

Successful exploitation allows an unauthenticated attacker to write or overwrite arbitrary files on the host system with attacker-controlled content, bypassing directory restrictions. This arbitrary file write primitive can be directly escalated to RCE by overwriting critical system files (e.g., /etc/cron.d/, /etc/passwd), injecting malicious Fluentd plugins, or modifying configuration files — resulting in full system compromise. The severity is amplified when Fluentd runs as root, as is common in containerized and Kubernetes logging pipelines, potentially exposing millions of cloud and Kubernetes deployments to complete confidentiality, integrity, and availability loss (GitHub Advisory, SecureBulletin).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing or network-accessible Fluentd instances (default in_forward port 24224/TCP) using tools like Shodan, Censys, or Masscan, targeting versions ≤ 1.19.2.
  2. Verify configuration: Confirm the target Fluentd instance is configured to receive logs from untrusted sources and uses the ${tag} placeholder in an output plugin's path parameter (e.g., out_file with path /var/log/fluentd/${tag}.log).
  3. Craft malicious log tag: Construct a Fluentd forward protocol message with a tag containing path traversal sequences, such as ../../etc/cron.d/backdoor or ../../tmp/malicious_plugin.rb, combined with attacker-controlled log content.
  4. Send the payload: Transmit the crafted log message to the Fluentd in_forward listener (e.g., using fluent-cat or a raw TCP client implementing the MessagePack-based forward protocol).
  5. Achieve arbitrary file write: Fluentd processes the tag, resolves the traversed path, and writes the attacker-controlled log content to the target file outside the intended directory.
  6. Escalate to RCE: Depending on Fluentd's privileges, trigger execution of the written payload — for example, by writing a cron job, a malicious Ruby plugin file loaded by Fluentd, or overwriting an SSH authorized_keys file — to achieve remote code execution (GitHub Advisory, Fluentd Release).

Indicateurs de compromis

  • Network: Unexpected inbound TCP connections to Fluentd's in_forward port (default 24224) from untrusted or external IP addresses; unusual volume of log forwarding traffic from unknown sources.
  • File System: Presence of unexpected files outside the configured Fluentd output directory (e.g., new files in /etc/cron.d/, /etc/, /tmp/, or Fluentd plugin directories); modification timestamps on system files coinciding with Fluentd activity.
  • Logs: Fluentd log entries showing tags containing ../, ..%2F, or other path traversal sequences; errors or warnings related to file path boundary violations in Fluentd's output logs.
  • Process: Unexpected child processes spawned by the Fluentd Ruby process (e.g., shell commands, curl, wget, reverse shell processes); new cron jobs or scheduled tasks created around the time of suspicious Fluentd activity (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade Fluentd to v1.19.3 or later, which enforces strict path boundary validation for the ${tag} placeholder (PR #5391) (Fluentd Release). If an immediate upgrade is not possible, apply the following mitigations in priority order:

  • Restrict network access: Use firewall rules (e.g., iptables, AWS Security Groups) to block untrusted sources from reaching Fluentd input ports (default 24224/TCP).
  • Run Fluentd as a non-root user: This prevents writes to sensitive system directories such as /etc/, significantly limiting RCE escalation potential.
  • Revise configurations: Remove ${tag} from the path parameter of output plugins (out_file, etc.) when tags may originate from untrusted sources.
  • Filter incoming tags: Use fluent-plugin-rewrite-tag-filter to drop any tags containing . or / characters at the input layer (GitHub Advisory).

Réactions de la communauté

The vulnerability received broad coverage from security media outlets including CyberSecurityNews, CyberPress, VPNCentral, and SecureBulletin, with several articles highlighting the risk to cloud and Kubernetes logging pipelines (SecureBulletin, CyberSecurityNews). Belgium's Centre for Cybersecurity (CCB) issued a formal advisory warning about the critical RCE flaw (CCB Advisory). Tenable added detection coverage for the vulnerability in their container security and cloud security plugins. The Fluentd maintainer (Watson1978) published the advisory and patch simultaneously, and the reporter credited is "everping" (GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Ruby Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-44024CRITICAL9.8
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44160HIGH7.5
  • Ruby logoRuby
  • ruby3.2-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44025HIGH7.5
  • Ruby logoRuby
  • ruby3.3-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-38969HIGH7.5
  • Ruby logoRuby
  • ruby-webrick
NonOuiJul 02, 2026
CVE-2026-44161HIGH7.2
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités