CVE-2026-44161
Ruby Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-44161 is a Server-Side Request Forgery (SSRF) vulnerability in Fluentd's out_http output plugin, caused by insufficient validation of placeholder values (e.g., ${tag}) used in the endpoint configuration parameter. When placeholder values are derived from untrusted user input, an unauthenticated attacker can control the destination hostname of outbound HTTP requests made by Fluentd. All versions up to and including 1.19.2 (RubyGems package) are affected. The vulnerability was published on June 26, 2026, with a patch released in v1.19.3. It carries a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Fluentd Security Advisory).

Détails techniques

The root cause is CWE-918 (Server-Side Request Forgery), specifically the lack of strict host validation when resolving dynamic placeholders in the out_http plugin's endpoint parameter. When a Fluentd configuration uses a placeholder such as ${tag} as part of the endpoint hostname, and log tags are influenced by external/untrusted input, an attacker can craft a tag value that resolves to an arbitrary internal hostname or IP address. The fix introduced in v1.19.3 (PR #5394) adds strict host validation for dynamic endpoints to prevent redirection to arbitrary servers. Notably, the advisory clarifies that path/query manipulation via placeholders on the same validated host is considered intentional design behavior, not an SSRF vector, since out_http only issues POST/PUT requests — making cloud metadata extraction (which typically requires GET) infeasible (Fluentd Security Advisory, Fluentd v1.19.3 Release).

Impact

Successful exploitation allows an unauthenticated attacker to force the Fluentd node to send HTTP POST/PUT requests to arbitrary internal services, including internal APIs, microservices, and cloud provider metadata endpoints such as AWS IMDS (169.254.169.254). This can result in unauthorized access to internal infrastructure, data exfiltration from internal services, and potential credential compromise if internal services respond with sensitive tokens or configuration data. The scope is marked as "Changed" in CVSS, reflecting that the impact extends beyond the Fluentd process itself to other internal systems (GitHub Advisory, Fluentd Security Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify Fluentd deployments (version ≤ 1.19.2) that use the out_http plugin with a placeholder (e.g., ${tag}) in the endpoint configuration parameter for the hostname portion.
  2. Identify input vector: Determine how log tags are populated — for example, via in_http, in_forward, or other input plugins that accept externally supplied tag values.
  3. Craft malicious tag: Submit a log event with a tag value set to a target internal hostname or IP address (e.g., 169.254.169.254 for AWS IMDS, or an internal microservice address like internal-api.corp).
  4. Trigger SSRF: When Fluentd processes the event and resolves the placeholder, it constructs an endpoint URL using the attacker-controlled hostname and issues an HTTP POST/PUT request to that internal target.
  5. Harvest response data: If the internal service responds with sensitive data (e.g., IAM credentials from cloud metadata, internal API tokens), the attacker may be able to retrieve this data depending on how Fluentd handles or logs response bodies (Fluentd Security Advisory, GitHub Advisory).

Indicateurs de compromis

  • Network: Unexpected outbound HTTP POST/PUT requests from the Fluentd node to internal IP ranges (e.g., 169.254.169.254, RFC 1918 addresses) or unusual internal hostnames not in the normal endpoint configuration.
  • Logs: Fluentd logs showing HTTP requests to unexpected or dynamically resolved endpoints; connection errors or responses from internal services not normally contacted by Fluentd.
  • Configuration: out_http plugin configuration using ${tag} or other placeholders in the endpoint hostname field, especially when input plugins accept externally supplied tags.
  • Process/Network: Fluentd process initiating connections to cloud metadata services (169.254.169.254, fd00:ec2::254) or internal microservice addresses not listed in the static configuration (Fluentd Security Advisory).

Atténuation et solutions de contournement

Upgrade Fluentd to v1.19.3 or later, which introduces strict host validation for dynamic endpoints in the out_http plugin (PR #5394) (Fluentd v1.19.3 Release). If an immediate upgrade is not possible, apply the following workarounds: (1) Avoid dynamic hostnames — do not use placeholders like ${tag} in the endpoint parameter's hostname portion; (2) Restrict network access — use firewall rules (e.g., iptables, AWS Security Groups) to block Fluentd from reaching sensitive internal IPs, including cloud metadata services; (3) Restrict allowed hosts — inject a filter plugin to explicitly allowlist valid destination hosts before routing events to out_http (GitHub Advisory, Fluentd Security Advisory).

Réactions de la communauté

The vulnerability received coverage from multiple security news outlets shortly after disclosure, including SecurityOnline, CyberSecurityNews, CyberPress, and SecureBulletin, with some headlines characterizing the broader set of Fluentd v1.19.3 fixes as exposing "millions of cloud and Kubernetes logging pipelines" to RCE and data leaks (SecureBulletin, SecurityOnline). The Japan Vulnerability Notes (JVN) also published an advisory (JVN#36011274), indicating recognition by national cybersecurity authorities (JVN). The Fluentd maintainer (Watson1978) published the advisory and patch promptly, and the fix was credited to reporter "everping" (Fluentd Security Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Ruby Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-44024CRITICAL9.8
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44160HIGH7.5
  • Ruby logoRuby
  • ruby3.2-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44025HIGH7.5
  • Ruby logoRuby
  • ruby3.3-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-38969HIGH7.5
  • Ruby logoRuby
  • ruby-webrick
NonOuiJul 02, 2026
CVE-2026-44161HIGH7.2
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités