IP Spoofing Vulnerability in HestiaCP Affects Multiple Versions
CVE-2026-43634

8.7HIGH

Key Information:

Vendor

Hestiacp

Status
Hestiacp
Vendor
CVE Published:
19 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-43634?

HestiaCP versions 1.2.0 through 1.9.4 exhibit an IP spoofing vulnerability that permits unauthenticated remote attackers to evade authentication controls. By injecting a falsified IP address into the CF-Connecting-IP HTTP header, attackers can manipulate the system into trusting their requests as legitimate. This exploitation allows bypassing of fail2ban brute-force protections, negating individual IP allowlists, and poisoning authentication audit logs with trusted addresses, potentially leading to significant unauthorized access and control over the affected systems.

Affected Version(s)

hestiacp 1.2.0 <= 1.9.4

hestiacp 1.2.0 <= 1.9.4

hestiacp f381e294500f671cf12716c638afd0bfde901f88

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-43634 - Proof of Concept

References

https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip...
technical-descriptionexploit
https://github.com/hestiacp/hestiacp/issues/5229
issue-tracking
https://github.com/hestiacp/hestiacp/pull/5273
issue-tracking

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

sutol
divinity76
.