Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-43634

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-19 May, 2026 | 13:33
Updated At-19 May, 2026 | 16:39
Rejected At-
Credits

HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:19 May, 2026 | 13:33
Updated At:19 May, 2026 | 16:39
Rejected At:
â–¼CVE Numbering Authority (CNA)
HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

Affected Products
Vendor
hestiacp
Product
hestiacp
Repo
https://github.com/hestiacp/hestiacp
Default Status
affected
Versions
Affected
  • From 1.2.0 through 1.9.4 (semver)
Unaffected
  • f381e294500f671cf12716c638afd0bfde901f88 (git)
Problem Types
TypeCWE IDDescription
CWECWE-348Use of Less Trusted Source
Type: CWE
CWE ID: CWE-348
Description: Use of Less Trusted Source
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
sutol
remediation developer
divinity76
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
technical-description
exploit
https://github.com/hestiacp/hestiacp/issues/5229
issue-tracking
https://github.com/hestiacp/hestiacp/pull/5273
issue-tracking
https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
patch
https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
third-party-advisory
Hyperlink: https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
Resource:
technical-description
exploit
Hyperlink: https://github.com/hestiacp/hestiacp/issues/5229
Resource:
issue-tracking
Hyperlink: https://github.com/hestiacp/hestiacp/pull/5273
Resource:
issue-tracking
Hyperlink: https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
Resource:
third-party-advisory
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:19 May, 2026 | 15:16
Updated At:19 May, 2026 | 15:16

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-348Primarydisclosure@vulncheck.com
CWE ID: CWE-348
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88disclosure@vulncheck.com
N/A
https://github.com/hestiacp/hestiacp/issues/5229disclosure@vulncheck.com
N/A
https://github.com/hestiacp/hestiacp/pull/5273disclosure@vulncheck.com
N/A
https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-headerdisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/hestiacp/hestiacp/issues/5229
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/hestiacp/hestiacp/pull/5273
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2021-30070
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.64%
||
7 Day CHG~0.00%
Published-18 Aug, 2022 | 04:16
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Action-Not Available
Vendor-hestiacpn/a
Product-hestiacpn/a
CVE-2026-35391
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.02% / 6.22%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 20:17
Updated-09 Apr, 2026 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

Action-Not Available
Vendor-bulwarkmailbulwarkmail
Product-webmailwebmail
CWE ID-CWE-348
Use of Less Trusted Source
CVE-2024-45410
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-13.95% / 94.41%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 22:51
Updated-25 Sep, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-traefiktraefiktraefik
Product-traefiktraefiktraefik
CWE ID-CWE-348
Use of Less Trusted Source
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-2255
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.68% / 71.74%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 17:26
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Action-Not Available
Vendor-modwsgin/aDebian GNU/Linux
Product-debian_linuxmod_wsgimod_wsgi
CWE ID-CWE-348
Use of Less Trusted Source
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-27913
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.11% / 29.62%
||
7 Day CHG~0.00%
Published-10 Mar, 2025 | 00:00
Updated-19 Jun, 2025 | 00:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Action-Not Available
Vendor-passboltPassbolt
Product-passbolt_apiAPI
CWE ID-CWE-348
Use of Less Trusted Source
Details not found