HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header_CVE-2026-43634

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

AI Analysis

IP spoofing vulnerability allowing unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header

Basic Information

ID CVE-2026-43634

Source VulnCheck

Published May 19, 2026 at 13:33

Modified May 19, 2026 at 14:16

Affected Product

Vendor hestiacp

Product hestiacp

Version 1.2.0

Affected Versions hestiacp hestiacp 1.2.0

CWE Classification

CWE-348

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor HestiaCP

Product HestiaCP

Version 1.2.0-1.9.4

References

{
    "lastseen": "",
    "description": "HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.",
    "published": "2026-05-19T13:33:08.825Z",
    "modified": "2026-05-19T14:16:09.275Z",
    "type": "cve",
    "title": "HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header",
    "source": "VulnCheck",
    "references": "https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634\nhttps://github.com/hestiacp/hestiacp/issues/5229\nhttps://github.com/hestiacp/hestiacp/pull/5273\nhttps://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88\nhttps://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header",
    "id": "CVE-2026-43634",
    "bulletinFamily": "",
    "cwe": [
        "CWE-348"
    ],
    "cvelist": null,
    "sourceData": "hestiacp hestiacp 1.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hestiacp",
    "version": "1.2.0",
    "vendor": "hestiacp",
    "ai_description": "IP spoofing vulnerability allowing unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header",
    "ai_severity": "High",
    "ai_vendor": "HestiaCP",
    "ai_product": "HestiaCP",
    "ai_version": "1.2.0-1.9.4",
    "ai_score": 8.7
}