Remote Code Execution in Fluentd Out_HTTP Output Plugin
CVE-2026-44161

7.2HIGH

Key Information:

Vendor

Fluent

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-44161?

The Fluentd Out_HTTP output plugin has a vulnerability that can be exploited by providing untrusted input for endpoint configuration placeholders, such as ${tag}. This flaw allows attackers to dictate the destination hostname for outbound HTTP requests, potentially redirecting them to arbitrary internal services. This issue was addressed in version 1.19.3, which eliminates the risk by ensuring that placeholder values are properly validated and sanitized.

Affected Version(s)

fluentd < 1.19.3

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.