CVE-2026-44025
Received Received - Intake

Information Exposure in Fluentd Monitor Agent

Vulnerability report for CVE-2026-44025, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin in_monitor_agent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related endpoints unintentionally include internal instance variables that may contain database passwords, API keys, or cloud credentials. This issue is fixed in version 1.19.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
treasure_data fluentd 1.19.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Fluentd's Monitor Agent plugin (in_monitor_agent) prior to version 1.19.3. The plugin exposes internal metrics and plugin information through a REST API endpoint (/api/plugins.json and related endpoints). However, the responses from these endpoints unintentionally include internal instance variables that may contain sensitive information such as database passwords, API keys, or cloud credentials.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information including database passwords, API keys, and cloud credentials. Since the REST API endpoints are accessible without authentication (as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N), an attacker could remotely access these endpoints and retrieve confidential data. This could result in unauthorized access to databases, cloud services, or other systems, potentially leading to data breaches or further exploitation.

Mitigation Strategies

The vulnerability is fixed in Fluentd version 1.19.3. To mitigate this vulnerability, you should upgrade Fluentd to version 1.19.3 or later.

Compliance Impact

This vulnerability in Fluentd's Monitor Agent plugin exposes internal instance variables via a REST API, which may include sensitive information such as database passwords, API keys, or cloud credentials.

Exposure of such sensitive data could potentially lead to unauthorized access or data breaches, which may impact compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive information.

However, specific details on how this vulnerability directly affects compliance with these standards are not provided in the available information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart