CVE-2026-43634
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| hestiacp | hestiacp | 1.2.0 <= 1.9.4 | affected |
| hestiacp | hestiacp | f381e294500f671cf12716c638afd0bfde901f88 | unaffected |
Weaknesses
- CWE-348: Use of Less Trusted Source
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
- https://github.com/hestiacp/hestiacp/issues/5229
- https://github.com/hestiacp/hestiacp/pull/5273
- https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
- https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.