GHSA-pr7j-96cj-549h

Source

https://github.com/advisories/GHSA-pr7j-96cj-549h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pr7j-96cj-549h/GHSA-pr7j-96cj-549h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pr7j-96cj-549h

Aliases

CVE-2026-44025

Published

2026-06-26T16:32:57Z

Modified

2026-06-26T16:45:08.387181481Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Details

Fluentd's Monitor Agent plugin (in_monitor_agent) exposes internal metrics and plugin information via a REST API. It was discovered that the API response (/api/plugins.json and related endpoints) unintentionally includes internal instance variables of loaded plugins.

If any plugins store sensitive information—such as database passwords, API keys, or cloud credentials—in its instance variables, this information may be exposed in plain text to any user or system that has HTTP access to the Monitor Agent API.

Impact

This vulnerability allows for unauthorized information disclosure. An attacker who can reach the Monitor Agent API port (default: 24220) can potentially extract sensitive credentials used by other Fluentd plugins. The impact severity depends highly on the network configuration (whether the Monitor Agent port is exposed to untrusted networks) and the specific plugins configured in the Fluentd instance.

Patches:

v1.19.3

Workarounds

If usesrs cannot immediately update Fluentd to the patched version, they can mitigate this risk by strictly controlling access to the Monitor Agent port.

Ensure the Monitor Agent is only bound to localhost (127.0.0.1) rather than 0.0.0.0.

<source>
  @type monitor_agent
  bind 127.0.0.1
  port 24220
</source>

Use firewall rules (e.g., iptables, AWS Security Groups) to block access to the Monitor Agent port (24220) from untrusted networks or instances.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200",
        "CWE-306"
    ],
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-06-26T16:32:57Z"
}

References

Affected packages

RubyGems / fluentd

Package

Name: fluentd
Purl: pkg:gem/fluentd

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.3

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.10.11

0.10.12

0.10.13

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.20

0.10.21

0.10.22

0.10.23

0.10.24

0.10.25

0.10.26

0.10.27

0.10.28

0.10.29

0.10.30

0.10.31

0.10.32

0.10.33

0.10.34

0.10.35

0.10.36

0.10.37

0.10.38

0.10.39

0.10.40

0.10.41

0.10.42

0.10.43

0.10.44

0.10.45

0.10.46

0.10.47

0.10.48

0.10.49

0.10.50

0.10.51

0.10.52

0.10.53

0.10.54

0.10.55

0.10.56

0.10.57

0.10.58

0.10.59

0.10.60

0.10.61

0.10.62

0.12.0.pre.1

0.12.0.pre.2

0.12.0.pre.3

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.12.11

0.12.12

0.12.13

0.12.14

0.12.15

0.12.16

0.12.17

0.12.18

0.12.19

0.12.20

0.12.21

0.12.22

0.12.23

0.12.24

0.12.25

0.12.26

0.12.27

0.12.28

0.12.29

0.12.30

0.12.31

0.12.32

0.12.33

0.12.34

0.12.35

0.12.36

0.12.37

0.12.38

0.12.39

0.12.40

0.12.41

0.12.42

0.12.43

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.14.7

0.14.8

0.14.9

0.14.10

0.14.11

0.14.12

0.14.13

0.14.14.pre.1

0.14.14

0.14.15

0.14.16

0.14.17

0.14.18

0.14.19

0.14.20.rc1

0.14.20

0.14.21

0.14.22.rc1

0.14.22.rc2

0.14.22

0.14.23.rc1

0.14.23

0.14.24

0.14.25

1.*

1.0.0.rc1

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0.pre1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4.rc1

1.2.4

1.2.5.rc1

1.2.5

1.2.6

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.5.0.rc1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0.rc1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0.rc1

1.8.0.rc2

1.8.0.rc3

1.8.0

1.8.1

1.9.0.rc1

1.9.0.rc2

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.12.0.rc1

1.12.0.rc2

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.13.1

1.13.2

1.13.3

1.14.0.rc

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.17.0

1.17.1

1.18.0

1.19.0

1.19.1

1.19.2

Database specific

last_known_affected_version_range

"<= 1.19.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pr7j-96cj-549h/GHSA-pr7j-96cj-549h.json"