PT-2026-53003 · Fluentd+1 · Fluentd

Published

2026-06-26

·

Updated

2026-07-08

·

CVE-2026-44025

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3
Description The Monitor Agent plugin in monitor agent exposes internal metrics and plugin information through a REST API. The responses from the /api/plugins.json endpoint and related endpoints unintentionally include internal instance variables of loaded plugins. If plugins store sensitive data such as database passwords, API keys, or cloud credentials within these variables, the information may be exposed in plain text to any user or system with HTTP access to the Monitor Agent API port (default 24220).
Recommendations Update to version 1.19.3. Ensure the Monitor Agent is bound to localhost (127.0.0.1) instead of 0.0.0.0 to restrict access. Use firewall rules to block access to the Monitor Agent port 24220 from untrusted networks.

Fix

Information Disclosure

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44025
GHSA-PR7J-96CJ-549H

Affected Products

Fluentd