Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
AnalysisAI
Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.
Technical ContextAI
HestiaCP is an open-source Linux server control panel written in PHP for managing web hosting (domains, mail, DNS, databases). The vulnerable code path in web/inc/helpers.php and web/inc/main.php read the CF-Connecting-IP, X-Forwarded-For, Forwarded, and related proxy headers directly from $_SERVER and assigned the supplied value as the client's effective IP without first confirming that $_SERVER['REMOTE_ADDR'] (the actual TCP peer) belonged to Cloudflare's published IP ranges. This is a textbook CWE-348 (Use of Less Trusted Source) flaw: a header that is only authoritative when the request truly came from a trusted reverse proxy was treated as authoritative for every request. The fix introduces the divinity76/cloudflare-ip-validator Composer dependency and only honours CF-Connecting-IP when REMOTE_ADDR is in the Cloudflare IP space, and centralises IP resolution behind a single get_real_user_ip() helper.
RemediationAI
Upstream fix available as commit f381e294500f671cf12716c638afd0bfde901f88 merged via pull request https://github.com/hestiacp/hestiacp/pull/5273 - apply the released patched HestiaCP build that contains this commit (any version after 1.9.4 incorporating PR #5273). Until upgrade is possible, compensating controls include placing HestiaCP strictly behind Cloudflare (or another reverse proxy) and configuring the web server to overwrite or strip incoming CF-Connecting-IP, X-Forwarded-For, HTTP_CLIENT_IP, Forwarded, and X-Forwarded headers from any source whose REMOTE_ADDR is not in Cloudflare's published IP ranges (https://www.cloudflare.com/ips/); note that stripping these headers will cause all logged client IPs to collapse to the proxy address, reducing forensic granularity. Additionally restrict the HestiaCP admin port (default 8083) to known administrator IPs at the firewall, which limits both this bypass and brute-force surface but breaks remote administration from arbitrary networks. Vendor advisory references: https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header and the third-party exploit write-up at https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634.
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. Rated medium severity (CVS
Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web ter
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6. Rated medium severity (CVSS 5
Privilege escalation to root in the HestiaCP web hosting control panel (versions before 1.9.5) lets any low-privilege au
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authentica
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30935
GHSA-72fg-f46j-5gvp