Fluentd CVE-2026-44161
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Network and unauthenticated with no UI, but AC:H because exploitation requires a non-default dynamic-hostname out_http config; scope change for SSRF into other systems, limited confidentiality/availability impact, no integrity impact.
Primary rating from Vendor (https://github.com/fluent/fluentd).
CVSS VectorVendor: https://github.com/fluent/fluentd
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
The out_http output plugin allows the use of placeholders (such as ${tag}) in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by Fluentd.
Impact
This vulnerability allows for a Server-Side Request Forgery (SSRF) attack. An unauthenticated attacker can force the Fluentd node to send HTTP requests to arbitrary internal services. This can lead to unauthorized access to internal APIs, data exfiltration, or the compromise of cloud metadata endpoints (e.g., AWS IMDS 169.254.169.254).
Patches
v1.19.3
Workarounds
If an immediate upgrade is not possible, users are strongly advised to apply the following mitigations:
- Avoid Dynamic Hostnames
- Do not use the placeholder in the endpoint parameter as hostname.
- Restrict Network Access
- Use firewall rules (e.g., iptables, AWS Security Groups) to block the Fluentd node from accessing sensitive internal IP addresses, specifically the cloud provider's metadata service and other internal microservices that Fluentd does not explicitly need to access.
- Restrict allowed hosts
- Inject filter to accept allowed hosts in placeholders explicitly if possible.
AnalysisAI
{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the out_http output plugin to be configured with a placeholder (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L, base 7.2) presents this as network-reachable, low-complexity, unauthenticated, with a scope change reflecting that the SSRF reaches systems beyond Fluentd itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Fluentd aggregator is configured with an out_http endpoint such as http://${tag}/ingest to dynamically route logs. An attacker submits crafted log events whose tag (or record field) resolves to 169.254.169.254, causing Fluentd to request the cloud metadata endpoint and potentially leak IAM credentials, or to reach an internal admin API otherwise unexposed. … |
| Remediation | Upgrade to Fluentd 1.19.3, which adds strict host validation for dynamic out_http endpoints (upstream PR https://github.com/fluent/fluentd/pull/5394); this is a tagged release, so apply Vendor-released patch: 1.19.3 as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Fluentd instances and versions across production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-72f5-rr8c-r6gr