PT-2026-53003 · Fluentd+1 · Fluentd
Published
2026-06-26
·
Updated
2026-07-08
·
CVE-2026-44025
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Fluentd versions prior to 1.19.3
Description
The Monitor Agent plugin
in monitor agent exposes internal metrics and plugin information through a REST API. The responses from the /api/plugins.json endpoint and related endpoints unintentionally include internal instance variables of loaded plugins. If plugins store sensitive data such as database passwords, API keys, or cloud credentials within these variables, the information may be exposed in plain text to any user or system with HTTP access to the Monitor Agent API port (default 24220).Recommendations
Update to version 1.19.3.
Ensure the Monitor Agent is bound to
localhost (127.0.0.1) instead of 0.0.0.0 to restrict access.
Use firewall rules to block access to the Monitor Agent port 24220 from untrusted networks.Fix
Information Disclosure
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fluentd