Which versions of HestiaCP are affected by CVE-2026-43634?

HestiaCP versions 1.2.0 through 1.9.4 contain an authentication bypass vulnerability (CVSS 8.7) that allows unauthenticated remote attackers to spoof source IP addresses through HTTP header…. A patch is available.

Is there a public PoC exploit available for CVE-2026-43634?

Yes, a public proof-of-concept exploit is available for CVE-2026-43634. Prioritise patching immediately. EPSS: 0.0%.

HestiaCP CVE-2026-43634

Q: What is the CVSS score of CVE-2026-43634?

CVE-2026-43634 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30935 HIGH

Use of Less Trusted Source (CWE-348)

2026-05-19 VulnCheck

GHSA-72fg-f46j-5gvp

Authentication Bypass

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 19, 2026 - 15:32 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 19, 2026 - 15:22 vuln.today

cvss_changed

CVSS changed

May 19, 2026 - 15:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Source Code Evidence Fetched

May 19, 2026 - 15:01 vuln.today

Analysis Generated

May 19, 2026 - 15:01 vuln.today

DescriptionNVD

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

AnalysisAI

Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. …

RemediationAI

Within 24 hours: Identify all HestiaCP instances in production and determine which versions are deployed (1.2.0-1.9.4 are affected); obtain and apply the vendor patch immediately. Within 7 days: Complete patching across all HestiaCP deployments and validate fail2ban and rate-limiting controls function correctly post-patch. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43634 vulnerability details – vuln.today

Back

HestiaCP CVE-2026-43634

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

HestiaCP CVE-2026-43634

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code