CVE-2026-44024
Received Received - Intake

Path Traversal in Fluentd via Tag Placeholder

Vulnerability report for CVE-2026-44024, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
treasure_data fluentd 1.19.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Fluentd versions prior to 1.19.3. Fluentd allows dynamic construction of file paths using the ${tag} placeholder. However, there is insufficient validation of the ${tag} value in file configurations such as the path parameter of the out_file plugin. Attackers can exploit this by sending untrusted tags containing path traversal characters, which enables them to write or overwrite arbitrary files on the system.

This can potentially lead to remote code execution, as attackers may place malicious files or overwrite critical files.

Impact Analysis

The vulnerability can have severe impacts including unauthorized file write or overwrite on the affected system. This can lead to remote code execution, allowing attackers to run arbitrary code with the privileges of the Fluentd process.

Such an exploit can compromise the integrity, confidentiality, and availability of the system and its data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Fluentd to version 1.19.3 or later, where the issue with insufficient validation of the ${tag} placeholder in file path configurations has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart