Missing Authentication for Critical Function Affecting fluentd package, versions <1.19.3


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-FLUENTD-17660642
  • published27 Jun 2026
  • disclosed26 Jun 2026
  • crediteverping

Introduced: 26 Jun 2026

NewCVE-2026-44025  (opens in a new tab)
CWE-306  (opens in a new tab)

How to fix?

Upgrade fluentd to version 1.19.3 or higher.

Overview

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the in_monitor_agent process. An attacker can access sensitive internal instance variables, including credentials, by sending HTTP requests to the Monitor Agent API endpoints. The impact depends on network exposure and plugin configuration.

Workaround

This vulnerability can be mitigated by restricting access to the Monitor Agent port, binding it to localhost, and using firewall rules to block untrusted network access.

CVSS Base Scores

version 4.0
version 3.1