Fluentd Vulnerabilities Permit Gzip Decoding Breakdown

EXECUTIVE SUMMARY:

Four vulnerabilities in Fluentd impact several plugins and features, including placeholder handling, Monitor Agent API exposure, gzip decompression handling, and dynamic file path construction. Successful exploitation could allow unauthenticated attackers to perform SSRF against internal services, exhaust memory and disrupt log forwarding, expose sensitive credentials, or escalate arbitrary file writes into remote code execution depending on configuration and network exposure.[emaillocker id="1283"]

CVE-2026-44161 with a CVSS score of 7.2 : This Server-Side Request Forgery (SSRF) vulnerability in the out_http plugin allows attackers to manipulate placeholder values to control the destination of HTTP requests, potentially accessing internal APIs and cloud metadata services.

CVE-2026-44160 with a CVSS score of 7.5 : This Denial of Service (DoS) vulnerability exists in the in_http and in_forward plugins where a lack of decompression size limits allows an attacker to exhaust memory and crash the logging service via a malicious gzip payload.

CVE-2026-44025 with a CVSS score of 7.5 : It is an information disclosure vulnerability in the Fluentd Monitor Agent plugin that can expose sensitive plugin credentials through API endpoints to attackers with HTTP access.

CVE-2026-44024 with a CVSS score of 9.8 : It is a Fluentd path traversal vulnerability where unsafe tag placeholder validation allows unauthenticated attackers to write arbitrary files and potentially achieve RCE.

RECOMMENDATION:

• We recommend you to update fluentd to version 1.19.3 or later.

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-72f5-rr8c-r6gr
https://github.com/advisories/GHSA-j9cw-hwqf-85w7
https://github.com/advisories/GHSA-pr7j-96cj-549h
https://github.com/advisories/GHSA-44hj-4m45-frj3