
PEACH
Un cadre d’isolation des locataires
CVE-2026-44161 is a Server-Side Request Forgery (SSRF) vulnerability in Fluentd's out_http output plugin, caused by insufficient validation of placeholder values (e.g., ${tag}) used in the endpoint configuration parameter. When placeholder values are derived from untrusted user input, an unauthenticated attacker can control the destination hostname of outbound HTTP requests made by Fluentd. All versions up to and including 1.19.2 (RubyGems package) are affected. The vulnerability was published on June 26, 2026, with a patch released in v1.19.3. It carries a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Fluentd Security Advisory).
The root cause is CWE-918 (Server-Side Request Forgery), specifically the lack of strict host validation when resolving dynamic placeholders in the out_http plugin's endpoint parameter. When a Fluentd configuration uses a placeholder such as ${tag} as part of the endpoint hostname, and log tags are influenced by external/untrusted input, an attacker can craft a tag value that resolves to an arbitrary internal hostname or IP address. The fix introduced in v1.19.3 (PR #5394) adds strict host validation for dynamic endpoints to prevent redirection to arbitrary servers. Notably, the advisory clarifies that path/query manipulation via placeholders on the same validated host is considered intentional design behavior, not an SSRF vector, since out_http only issues POST/PUT requests — making cloud metadata extraction (which typically requires GET) infeasible (Fluentd Security Advisory, Fluentd v1.19.3 Release).
Successful exploitation allows an unauthenticated attacker to force the Fluentd node to send HTTP POST/PUT requests to arbitrary internal services, including internal APIs, microservices, and cloud provider metadata endpoints such as AWS IMDS (169.254.169.254). This can result in unauthorized access to internal infrastructure, data exfiltration from internal services, and potential credential compromise if internal services respond with sensitive tokens or configuration data. The scope is marked as "Changed" in CVSS, reflecting that the impact extends beyond the Fluentd process itself to other internal systems (GitHub Advisory, Fluentd Security Advisory).
out_http plugin with a placeholder (e.g., ${tag}) in the endpoint configuration parameter for the hostname portion.in_http, in_forward, or other input plugins that accept externally supplied tag values.169.254.169.254 for AWS IMDS, or an internal microservice address like internal-api.corp).169.254.169.254, RFC 1918 addresses) or unusual internal hostnames not in the normal endpoint configuration.out_http plugin configuration using ${tag} or other placeholders in the endpoint hostname field, especially when input plugins accept externally supplied tags.169.254.169.254, fd00:ec2::254) or internal microservice addresses not listed in the static configuration (Fluentd Security Advisory).Upgrade Fluentd to v1.19.3 or later, which introduces strict host validation for dynamic endpoints in the out_http plugin (PR #5394) (Fluentd v1.19.3 Release). If an immediate upgrade is not possible, apply the following workarounds: (1) Avoid dynamic hostnames — do not use placeholders like ${tag} in the endpoint parameter's hostname portion; (2) Restrict network access — use firewall rules (e.g., iptables, AWS Security Groups) to block Fluentd from reaching sensitive internal IPs, including cloud metadata services; (3) Restrict allowed hosts — inject a filter plugin to explicitly allowlist valid destination hosts before routing events to out_http (GitHub Advisory, Fluentd Security Advisory).
The vulnerability received coverage from multiple security news outlets shortly after disclosure, including SecurityOnline, CyberSecurityNews, CyberPress, and SecureBulletin, with some headlines characterizing the broader set of Fluentd v1.19.3 fixes as exposing "millions of cloud and Kubernetes logging pipelines" to RCE and data leaks (SecureBulletin, SecurityOnline). The Japan Vulnerability Notes (JVN) also published an advisory (JVN#36011274), indicating recognition by national cybersecurity authorities (JVN). The Fluentd maintainer (Watson1978) published the advisory and patch promptly, and the fix was credited to reporter "everping" (Fluentd Security Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."