CVE-2026-44161 PUBLISHED

Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

Assigner: GitHub_M
Reserved: 05.05.2026 Published: 08.07.2026 Updated: 09.07.2026

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
CVSS Score: 7.2

Product Status

Vendor fluent
Product fluentd
Versions
  • Version < 1.19.3 is affected

References

Problem Types

  • CWE-918: Server-Side Request Forgery (SSRF) CWE