Missing Authentication for Critical Function in Fluentd - CVE-2026-44025
Published: June 29, 2026
Vulnerability identifier: #VU135828
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-44025
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Fluentd Project
Affected software:
Fluentd
Fluentd
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to missing authentication for critical function in the Monitor Agent API endpoints when handling HTTP requests to `/api/plugins.json` and related endpoints. A remote attacker can send a request to extract sensitive credentials used by other Fluentd plugins to disclose sensitive information.
The issue exposes internal instance variables of loaded plugins in plain text, and the impact depends on whether the Monitor Agent port is reachable and whether configured plugins store secrets in instance variables.
How to mitigate CVE-2026-44025
Install security update from vendor's website.