SB20260629114 - Multiple vulnerabilities in Fluentd

Description

This security bulletin contains information about 4 vulnerabilities.

1) Path traversal (CVE-ID: CVE-2026-44024)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to path traversal in the `${tag}` placeholder handling in file path configuration when processing log tags from untrusted sources. A remote attacker can inject path traversal sequences into a crafted tag to execute arbitrary code.

Exploitation requires the `${tag}` placeholder to be used in file-related configuration such as the `path` parameter, and certain formatting options can enable arbitrary file write or overwrite of existing files.

2) Missing Authentication for Critical Function (CVE-ID: CVE-2026-44025)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication for critical function in the Monitor Agent API endpoints when handling HTTP requests to `/api/plugins.json` and related endpoints. A remote attacker can send a request to extract sensitive credentials used by other Fluentd plugins to disclose sensitive information.

The issue exposes internal instance variables of loaded plugins in plain text, and the impact depends on whether the Monitor Agent port is reachable and whether configured plugins store secrets in instance variables.

3) Improper handling of highly compressed data (CVE-ID: CVE-2026-44160)

CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in the `in_http` and `in_forward` plugins when processing gzip-compressed input. A remote attacker can send a maliciously crafted, highly compressed payload to cause a denial of service.

The issue can lead to memory exhaustion and an out-of-memory kill of the Fluentd process.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44161)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform server-side request forgery.

The vulnerability exists due to server-side request forgery in the out_http endpoint configuration parameter when expanding placeholders derived from untrusted user input. A remote attacker can supply a crafted placeholder value to perform server-side request forgery.

This can cause outbound HTTP requests to be sent to internal services or cloud metadata endpoints.

Remediation

Install update from vendor's website.

References

• https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3
• https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h
• https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7
• https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr