CVE-2026-44024
Fluent · Fluentd
Fluentd allows path traversal via the ${tag} placeholder in file configurations, enabling attackers to write or overwrite arbitrary files and potentially achieve remote code execution.
Executive summary
A critical path traversal vulnerability in Fluentd versions prior to 1.19.3 allows attackers to perform arbitrary file writes, creating a significant risk for remote code execution.
Vulnerability
This is a path traversal vulnerability caused by insufficient validation of the ${tag} placeholder in the out_file plugin. By sending crafted tags containing traversal characters, an unauthenticated attacker can manipulate file paths to write to unintended locations on the host filesystem.
Business impact
Successful exploitation of this vulnerability allows attackers to overwrite critical system configuration files or binary files, which can lead to full system compromise via remote code execution. Given the CVSS score of 9.8, this vulnerability is critical. It poses a severe threat to the integrity and confidentiality of the entire host system running the Fluentd service.
Remediation
Immediate Action: Update the Fluentd installation to version 1.19.3 or later to apply the necessary input validation fixes.
Proactive Monitoring: Review Fluentd configuration files to identify if they utilize the ${tag} placeholder in path definitions and monitor filesystem activity for unauthorized file write attempts.
Compensating Controls: Run the Fluentd process with the minimum necessary filesystem permissions (least privilege) to limit the impact of a potential path traversal exploit.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is highly critical and presents a direct path to system compromise. All users of Fluentd must prioritize upgrading to version 1.19.3 immediately. Organizations should also audit their logging configurations to ensure that input tags are not being used in a way that could facilitate path traversal.