Skip to main content

Fluentd CVE-2026-44024

CRITICAL
Path Traversal (CWE-22)
2026-06-26 https://github.com/fluent/fluentd GHSA-44hj-4m45-frj3
9.8
CVSS 3.1 · Vendor: https://github.com/fluent/fluentd
Share

Severity by source

Vendor (https://github.com/fluent/fluentd) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N), but AC:H because exploitation requires a non-default config using ${tag} in output paths plus untrusted tag ingestion; file write yields full CIA impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/fluent/fluentd).

CVSS VectorVendor: https://github.com/fluent/fluentd

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 17:20 vuln.today
Analysis Generated
Jun 26, 2026 - 17:20 vuln.today

DescriptionCVE.org

Fluentd allows dynamically constructing file paths using the ${tag} placeholder. It was discovered that validation for this placeholder was insufficient.

If a Fluentd instance is configured to receive logs from untrusted sources and uses the ${tag} placeholder in file configurations (such as the path parameter in the out_file plugin), an attacker can inject path traversal characters (e.g., ../).

When combined with certain formatting options, this vulnerability allows an attacker to write arbitrary files or overwrite existing files on the system with attacker-controlled content, bypassing intended directory restrictions.

Impact

This vulnerability allows for Arbitrary File Write, which can be directly escalated to full Remote Code Execution (RCE). An attacker could achieve RCE by overwriting critical system files, injecting executable plugins, or modifying configuration files. The impact is Critical as it can lead to full system compromise without any authentication, depending on the Fluentd configuration and the privileges of the Fluentd process.

Patches

v1.19.3

Workarounds

If an immediate upgrade is not possible, users are strongly advised to apply the following mitigations:

  1. Restrict Network Access
  • Ensure that Fluentd input ports (such as in_forward on default port 24224) are deployed within a closed, trusted network. Use firewall rules (e.g., iptables, AWS Security Groups) to block access from untrusted networks or instances.
  1. Run Fluentd as a non-root user
  • Dropping privileges prevents Fluentd from writing to sensitive system directories (e.g., /etc/), significantly mitigating the risk of system-wide RCE.
  1. Revise configurations
  • Do not use the ${tag} placeholder in the path parameter of output plugins (like out_file) if the tag originates from an untrusted source.
  1. Filter incoming tags
  • Strictly validate and filter incoming tags at the input layer (e.g., using fluent-plugin-rewrite-tag-filter) to drop any tags containing . or / characters.

AnalysisAI

{tag} placeholder used to dynamically build output file paths. When an instance ingests logs from untrusted sources and references ${tag} in a path parameter (e.g., the out_file plugin), an attacker can inject ../ traversal sequences to write or overwrite arbitrary files with attacker-controlled content, which the vendor states is directly escalatable to full RCE. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed in_forward port (24224)
Delivery
Send log event with ../ in tag
Exploit
Tag substituted into out_file path
Execution
Traversal escapes output directory
Persist
Overwrite config/plugin file
Impact
Achieve code execution as Fluentd process

Vulnerability AssessmentAI

Exploitation Exploitation requires a Fluentd instance that (1) receives logs/tags from untrusted sources, typically via a network input such as `in_forward` on default port 24224, and (2) uses the `${tag}` placeholder in a file path parameter of an output plugin (notably the `path` in `out_file`), combined with certain output formatting options that let the attacker control written content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially aligned. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an exposed `in_forward` port (24224) on a Fluentd instance that writes via `out_file` with a `${tag}`-templated path sends a forged log event whose tag embeds `../` traversal sequences and, combined with formatting options, attacker-controlled content. Fluentd substitutes the malicious tag into the output path, escaping the intended directory to overwrite a sensitive file - for example a config file or an executable Ruby plugin - and if the process runs as root this yields system-wide RCE. …
Remediation Primary fix: upgrade to Vendor-released patch v1.19.3 or later, which enforces strict path-boundary validation for tag-derived paths (release: https://github.com/fluent/fluentd/releases/tag/v1.19.3; advisory: https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable the out_file plugin for untrusted log sources or isolate affected systems from processing untrusted logs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy