GHSA-44hj-4m45-frj3

Source

https://github.com/advisories/GHSA-44hj-4m45-frj3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-44hj-4m45-frj3/GHSA-44hj-4m45-frj3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-44hj-4m45-frj3

Aliases

CVE-2026-44024

Downstream

MINI-xxwj-8485-4jv6

Published

2026-06-26T16:32:05Z

Modified

2026-06-26T16:45:08.373163635Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Details

Fluentd allows dynamically constructing file paths using the ${tag} placeholder. It was discovered that validation for this placeholder was insufficient.

If a Fluentd instance is configured to receive logs from untrusted sources and uses the ${tag} placeholder in file configurations (such as the path parameter in the out_file plugin), an attacker can inject path traversal characters (e.g., ../).

When combined with certain formatting options, this vulnerability allows an attacker to write arbitrary files or overwrite existing files on the system with attacker-controlled content, bypassing intended directory restrictions.

Impact

This vulnerability allows for Arbitrary File Write, which can be directly escalated to full Remote Code Execution (RCE). An attacker could achieve RCE by overwriting critical system files, injecting executable plugins, or modifying configuration files. The impact is Critical as it can lead to full system compromise without any authentication, depending on the Fluentd configuration and the privileges of the Fluentd process.

Patches

v1.19.3

Workarounds

If an immediate upgrade is not possible, users are strongly advised to apply the following mitigations:

Restrict Network Access
- Ensure that Fluentd input ports (such as in_forward on default port 24224) are deployed within a closed, trusted network. Use firewall rules (e.g., iptables, AWS Security Groups) to block access from untrusted networks or instances.
Run Fluentd as a non-root user
- Dropping privileges prevents Fluentd from writing to sensitive system directories (e.g., /etc/), significantly mitigating the risk of system-wide RCE.
Revise configurations
- Do not use the ${tag} placeholder in the path parameter of output plugins (like out_file) if the tag originates from an untrusted source.
Filter incoming tags
- Strictly validate and filter incoming tags at the input layer (e.g., using fluent-plugin-rewrite-tag-filter) to drop any tags containing . or / characters.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22",
        "CWE-94"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-06-26T16:32:05Z"
}

References

Affected packages

RubyGems / fluentd

Package

Name: fluentd
Purl: pkg:gem/fluentd

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.3

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.10.11

0.10.12

0.10.13

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.20

0.10.21

0.10.22

0.10.23

0.10.24

0.10.25

0.10.26

0.10.27

0.10.28

0.10.29

0.10.30

0.10.31

0.10.32

0.10.33

0.10.34

0.10.35

0.10.36

0.10.37

0.10.38

0.10.39

0.10.40

0.10.41

0.10.42

0.10.43

0.10.44

0.10.45

0.10.46

0.10.47

0.10.48

0.10.49

0.10.50

0.10.51

0.10.52

0.10.53

0.10.54

0.10.55

0.10.56

0.10.57

0.10.58

0.10.59

0.10.60

0.10.61

0.10.62

0.12.0.pre.1

0.12.0.pre.2

0.12.0.pre.3

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.12.11

0.12.12

0.12.13

0.12.14

0.12.15

0.12.16

0.12.17

0.12.18

0.12.19

0.12.20

0.12.21

0.12.22

0.12.23

0.12.24

0.12.25

0.12.26

0.12.27

0.12.28

0.12.29

0.12.30

0.12.31

0.12.32

0.12.33

0.12.34

0.12.35

0.12.36

0.12.37

0.12.38

0.12.39

0.12.40

0.12.41

0.12.42

0.12.43

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.14.7

0.14.8

0.14.9

0.14.10

0.14.11

0.14.12

0.14.13

0.14.14.pre.1

0.14.14

0.14.15

0.14.16

0.14.17

0.14.18

0.14.19

0.14.20.rc1

0.14.20

0.14.21

0.14.22.rc1

0.14.22.rc2

0.14.22

0.14.23.rc1

0.14.23

0.14.24

0.14.25

1.*

1.0.0.rc1

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0.pre1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4.rc1

1.2.4

1.2.5.rc1

1.2.5

1.2.6

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.5.0.rc1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0.rc1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0.rc1

1.8.0.rc2

1.8.0.rc3

1.8.0

1.8.1

1.9.0.rc1

1.9.0.rc2

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.12.0.rc1

1.12.0.rc2

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.13.1

1.13.2

1.13.3

1.14.0.rc

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.17.0

1.17.1

1.18.0

1.19.0

1.19.1

1.19.2

Database specific

last_known_affected_version_range

"<= 1.19.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-44hj-4m45-frj3/GHSA-44hj-4m45-frj3.json"