Skip to main content

HestiaCP CVE-2026-43634

| EUVDEUVD-2026-30935 HIGH
Use of Less Trusted Source (CWE-348)
2026-05-19 VulnCheck GHSA-72fg-f46j-5gvp
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 19, 2026 - 15:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 15:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 19, 2026 - 15:01 vuln.today
Analysis Generated
May 19, 2026 - 15:01 vuln.today

DescriptionCVE.org

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

AnalysisAI

Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.

Technical ContextAI

HestiaCP is an open-source Linux server control panel written in PHP for managing web hosting (domains, mail, DNS, databases). The vulnerable code path in web/inc/helpers.php and web/inc/main.php read the CF-Connecting-IP, X-Forwarded-For, Forwarded, and related proxy headers directly from $_SERVER and assigned the supplied value as the client's effective IP without first confirming that $_SERVER['REMOTE_ADDR'] (the actual TCP peer) belonged to Cloudflare's published IP ranges. This is a textbook CWE-348 (Use of Less Trusted Source) flaw: a header that is only authoritative when the request truly came from a trusted reverse proxy was treated as authoritative for every request. The fix introduces the divinity76/cloudflare-ip-validator Composer dependency and only honours CF-Connecting-IP when REMOTE_ADDR is in the Cloudflare IP space, and centralises IP resolution behind a single get_real_user_ip() helper.

RemediationAI

Upstream fix available as commit f381e294500f671cf12716c638afd0bfde901f88 merged via pull request https://github.com/hestiacp/hestiacp/pull/5273 - apply the released patched HestiaCP build that contains this commit (any version after 1.9.4 incorporating PR #5273). Until upgrade is possible, compensating controls include placing HestiaCP strictly behind Cloudflare (or another reverse proxy) and configuring the web server to overwrite or strip incoming CF-Connecting-IP, X-Forwarded-For, HTTP_CLIENT_IP, Forwarded, and X-Forwarded headers from any source whose REMOTE_ADDR is not in Cloudflare's published IP ranges (https://www.cloudflare.com/ips/); note that stripping these headers will cause all logged client IPs to collapse to the proxy address, reducing forensic granularity. Additionally restrict the HestiaCP admin port (default 8083) to known administrator IPs at the firewall, which limits both this bypass and brute-force surface but breaks remote administration from arbitrary networks. Vendor advisory references: https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header and the third-party exploit write-up at https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634.

Share

CVE-2026-43634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy