Published:2026/06/29 Last Updated:2026/06/29
JVN#36011274
Multiple vulnerabilities in Fluentd
Overview
Fluentd provided by Fluentd Project contains multiple vulnerabilities.
Products Affected
- Fluentd versions prior to v1.19.3
- fluent-plugin-s3 versions prior to 1.8.5
- fluent-plugin-opentelemetry versions prior to 0.5.3
- fluent-package LTS v6.0.3 and earlier
- fluent-package v6.0.0 and earlier
- fluent-package LTS v5.0.9 and earlier
- fluent-package v5.2.0 and earlier
Description
Fluentd provided by Fluentd Project contains multiple vulnerabilities listed below.
- Path traversal in
${tag}Placeholder (CWE-22)- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2026-44024
- Missing authentication for critical function in Monitor Agent API (CWE-306)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
- CVE-2026-44025
- Improper handling of highly compressed data in
in_httpandin_forward(CWE-409)- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
- CVE-2026-44160
- Server-side request forgery in
out_http(CWE-918)- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:L Base Score 6.9
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Base Score 7.2
- CVE-2026-44161
- Improper handling of highly compressed data in
in_s3(CWE-409)- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Base Score 2.7
- CVE-2026-44162
- Improper handling of highly compressed data in
in_opentelemetry(CWE-409)- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 6.9
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score 5.3
- CVE-2026-44163
Impact
- Files in the system area may be altered by processes with administrative privileges (CVE-2026-44024).
- Sensitive information contained in the configuration file may be read via API (CVE-2026-44025).
- Receiving a specially crafted request created and sent by a remote unauthenticated attacker may cause a denial-of-service (DoS) condition (CVE-2026-44160).
- Processing data specially crafted by a remote unauthenticated attacker may cause a denial-of-service (DoS) condition (CVE-2026-44162, CVE-2026-44163).
- A remote unauthenticated attacker may redirect requests to unauthorized servers and/or cause a denial-of-service (DoS) condition (CVE-2026-44161).
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Apply the Workaround
The developer recommends that the users should apply the workaround until applying the latest update.
For more details, refer to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| ClearCode Inc. | Vulnerable | 2026/06/29 | ClearCode Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
The developer reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and the developer coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-000090 |