CVE-2026-43634

Name of the Vulnerable Software and Affected Versions HestiaCP versions 1.2.0 through 1.9.4

Description An IP spoofing issue allows unauthenticated remote attackers to bypass authentication security controls. This occurs when the system accepts an arbitrary IP address provided in the 'CF-Connecting-IP' HTTP header without verifying that the request actually originated from the Cloudflare network. Exploitation enables attackers to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses.

Recommendations Update HestiaCP to a version later than 1.9.4. As a temporary mitigation, restrict access to the control panel or configure the server to only accept 'CF-Connecting-IP' headers from verified Cloudflare IP ranges.