Back to overview

CVE-2026-44161

HIGH
7.2
CVSS 3.1
Description
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.

Metadata

CVE ID
CVE-2026-44161
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-05 14:39 UTC
Published
2026-07-08 21:25 UTC
Last updated
2026-07-08 21:25 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
fluent / fluentd
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
fluent fluentd < 1.19.3
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
References (4)
Back to overview