
PEACH
Un cadre d’isolation des locataires
CVE-2026-44025 is an information disclosure vulnerability in Fluentd's Monitor Agent plugin (in_monitor_agent) that unintentionally exposes internal instance variables of loaded plugins via its REST API. Affected versions are all Fluentd releases up to and including v1.19.2 (RubyGems package). The vulnerability was published on June 26, 2026, with a patch released the same day. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Fluentd Security Advisory).
The root cause is a combination of CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-306 (Missing Authentication for Critical Function): the Monitor Agent's REST API endpoints (/api/plugins.json and related) serialize and return internal Ruby instance variables of all loaded plugins without filtering or authentication. If any plugin stores sensitive data — such as database passwords, API keys, or cloud credentials — in its instance variables, those values are included in the API response in plain text. An attacker only needs network-level HTTP access to the Monitor Agent port (default: TCP 24220) to retrieve this data; no credentials or special privileges are required (GitHub Advisory, Fluentd Security Advisory). The fix in v1.19.3 changes the default visibility of config, retry, and debug info in the monitor agent (PR #5392) (Fluentd v1.19.3 Release).
Successful exploitation results in unauthorized disclosure of sensitive credentials stored in Fluentd plugin instance variables, including database passwords, API keys, and cloud provider credentials. There is no integrity or availability impact — the vulnerability is purely a confidentiality issue. However, the exposed credentials could enable an attacker to pivot laterally into downstream systems such as databases, cloud environments, or third-party services that Fluentd plugins are configured to interact with, significantly amplifying the blast radius beyond the Fluentd host itself (GitHub Advisory).
nmap -p 24220 <target>) or Shodan/Censys queries for the service banner.curl http://<target>:24220/api/plugins.json./api/plugins.json or related endpoints. The response will include serialized internal instance variables for all loaded plugins./api/plugins.json or related Monitor Agent endpoints from non-local sources./api/plugins.json, /api/config.json, or other Monitor Agent endpoints originating from IPs outside the expected management network.0.0.0.0 instead of 127.0.0.1 in the Fluentd configuration file, indicating potential exposure to untrusted networks.Upgrade Fluentd to v1.19.3 or later, which changes the default visibility of sensitive config, retry, and debug information in the Monitor Agent API (Fluentd v1.19.3 Release). If immediate upgrade is not possible, apply the following workarounds: (1) Bind the Monitor Agent exclusively to localhost by setting bind 127.0.0.1 in the <source> block for @type monitor_agent; (2) Use firewall rules (e.g., iptables, AWS Security Groups) to block external access to port 24220 from untrusted networks (GitHub Advisory).
The vulnerability was covered by several cybersecurity news outlets shortly after disclosure, including CyberSecurityNews, CyberPress, and SecureBulletin, which noted that the flaw — along with other CVEs patched in v1.19.3 — could affect millions of cloud and Kubernetes logging pipelines (SecureBulletin, CyberSecurityNews). Japan's JVN (JVN#36011274) also published an advisory, reflecting the broad international attention given to Fluentd's widespread use in cloud-native and Kubernetes environments (JVN Advisory). The Fluentd project maintainer (Watson1978) published the advisory and patch simultaneously, indicating a coordinated disclosure process.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."