Remote Code Execution in Fluentd Out_HTTP Output Plugin
CVE-2026-44161
7.2HIGH
What is CVE-2026-44161?
The Fluentd Out_HTTP output plugin has a vulnerability that can be exploited by providing untrusted input for endpoint configuration placeholders, such as ${tag}. This flaw allows attackers to dictate the destination hostname for outbound HTTP requests, potentially redirecting them to arbitrary internal services. This issue was addressed in version 1.19.3, which eliminates the risk by ensuring that placeholder values are properly validated and sanitized.
Affected Version(s)
fluentd < 1.19.3
