JVNDB-2026-000090

[Japanese]
JVNDB-2026-000090
Multiple vulnerabilities in Fluentd
Overview
Fluentd provided by Fluentd Project contains multiple vulnerabilities listed below. Path traversal in ${tag} Placeholder (CWE-22) - CVE-2026-44024 Missing authentication for critical function in Monitor Agent API (CWE-306) - CVE-2026-44025 Improper handling of highly compressed data in in_http and in_forward (CWE-409) - CVE-2026-44160 Server-side request forgery in out_http (CWE-918) - CVE-2026-44161 Improper handling of highly compressed data in in_s3 (CWE-409) - CVE-2026-44162 Improper handling of highly compressed data in in_opentelemetry (CWE-409) - CVE-2026-44163 The developer reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and the developer coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 9.8 (Critical) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High
CVSS v4 Severity Base Metrics: 9.3 (Critical) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): None User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): High Integrity Impact (VI): High Availability Impact (VA): High Subsequent System Impact Confidentiality Impact (SC): None Integrity Impact (SI): None Availability Impact (SA): None The above CVSS base scores have been assigned for CVE-2026-44024
CVSS v3 Severity Base Metrics: 7.5(High) [IPA Score] Access Vector : Network Attack Complexity : Low Privileges Required : None User Interaction : None Scope : Unchanged Confidentiality Impact : High Integrity Impact : None Availability Impact : None CVSS v4 Severity Base Metrics: 8.7 (High) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): None User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): High Integrity Impact (VI): None Availability Impact (VA): None Subsequent System Impact Confidentiality Impact (SC): None Integrity Impact (SI): None Availability Impact (SA): None The above CVSS base scores have been assigned for CVE-2026-44025
CVSS v3 Severity Base Metrics: 7.5(High) [IPA Score] Access Vector : Network Attack Complexity : Low Privileges Required : None User Interaction : None Scope : Unchanged Confidentiality Impact : None Integrity Impact : None Availability Impact : High CVSS v4 Severity Base Metrics: 8.7 (High) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): None User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): None Integrity Impact (VI): None Availability Impact (VA): High Subsequent System Impact Confidentiality Impact (SC): None Integrity Impact (SI): None Availability Impact (SA): None The above CVSS base scores have been assigned for CVE-2026-44160
CVSS v3 Severity Base Metrics: 7.2(High) [IPA Score] Access Vector : Network Attack Complexity : Low Privileges Required : None User Interaction : None Scope : Changed Confidentiality Impact : Low Integrity Impact : None Availability Impact : Low CVSS v4 Severity Base Metrics: 6.9 (Medium) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): None User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): None Integrity Impact (VI): None Availability Impact (VA): None Subsequent System Impact Confidentiality Impact (SC): Low Integrity Impact (SI): None Availability Impact (SA): Low The above CVSS base scores have been assigned for CVE-2026-44161
CVSS v3 Severity Base Metrics: 2.7(Low) [IPA Score] Access Vector : Network Attack Complexity : Low Privileges Required : High User Interaction : None Scope : Unchanged Confidentiality Impact : None Integrity Impact : None Availability Impact : Low CVSS v4 Severity Base Metrics: 5.1 (Medium) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): High User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): None Integrity Impact (VI): None Availability Impact (VA): Low Subsequent System Impact Confidentiality Impact (SC): None Integrity Impact (SI): None Availability Impact (SA): None The above CVSS base scores have been assigned for CVE-2026-44162
CVSS v3 Severity Base Metrics: 5.3(Medium) [IPA Score] Access Vector : Network Attack Complexity : Low Privileges Required : None User Interaction : None Scope : Unchanged Confidentiality Impact : None Integrity Impact : None Availability Impact : Low CVSS v4 Severity Base Metrics: 6.9 (Medium) [IPA Score] Access Vector (AV): Network Attack Complexity (AC): Low Attack Requirements (AT): None Privileges Required (PR): None User Interaction (UI): None Vulnerable System Impact Confidentiality Impact (VC): None Integrity Impact (VI): None Availability Impact (VA): Low Subsequent System Impact Confidentiality Impact (SC): None Integrity Impact (SI): None Availability Impact (SA): None The above CVSS base scores have been assigned for CVE-2026-44163
Affected Products

Fluentd Project fluent-plugin-opentelemetry versions prior to 0.5.3 fluent-plugin-s3 versions prior to 1.8.5 Fluentd versions prior to v1.19.3 ClearCode Inc. fluent-package LTS v6.0.3 and earlier fluent-package v6.0.0 and earlier fluent-package LTS v5.0.9 and earlier fluent-package v5.2.0 and earlier
The products of ClearCode Inc. that bundle Fluentd are also affected.
Impact
Files in the system area may be altered by processes with administrative privileges (CVE-2026-44024). Sensitive information contained in the configuration file may be read via API (CVE-2026-44025). Receiving a specially crafted request created and sent by a remote unauthenticated attacker may cause a denial-of-service (DoS) condition (CVE-2026-44160). Processing data specially crafted by a remote unauthenticated attacker may cause a denial-of-service (DoS) condition (CVE-2026-44162, CVE-2026-44163). A remote unauthenticated attacker may redirect requests to unauthorized servers and/or cause a denial-of-service (DoS) condition (CVE-2026-44161).
Solution
[Update the Software] Update the software to the latest version according to the information provided by the developer. [Apply the Workaround] The developer recommends that the users should apply the workaround until applying the latest update. For more details, refer to the information provided by the developer.
Vendor Information
Fluentd Project Fluentd Project : Exposure of Sensitive Information via Monitor Agent API (CVE-2026-44025) Fluentd Project : Denial of Service (DoS) via Decompression Bomb in `in_s3` (CVE-2026-44162) Fluentd Project : Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry` (CVE-2026-44163) Fluentd Project : Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder (CVE-2026-44024) Fluentd Project : Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` (CVE-2026-44161) Fluentd Project : Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward` (CVE-2026-44160) ClearCode Inc. ClearCode Inc. : ClearCode Inc. website (in Japanese) JVN : Information from ClearCode Inc.
CWE (What is CWE?)
Path Traversal(CWE-22) [IPA Evaluation] No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2026-44024 CVE-2026-44025 CVE-2026-44160 CVE-2026-44161 CVE-2026-44162 CVE-2026-44163
References
JVN : JVN#36011274
Revision History
[2026/06/29] Web page was published


Date Public	2026/06/29
Date First Published	2026/06/29
Date Last Updated	2026/06/29

Multiple vulnerabilities in Fluentd