GHSA-pr7j-96cj-549h: Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API
Fluentd's Monitor Agent plugin exposes internal plugin instance variables via its REST API, potentially leaking sensitive information such as database passwords or API keys. This vulnerability affects versions prior to 1.19.3. An attacker with network access to the Monitor Agent port (default 24220) can retrieve this sensitive data. The severity depends on network exposure and plugin configuration. A patch is available in version 1.19.3. Until patched, restricting Monitor Agent access to localhost or blocking the port with firewall rules mitigates the risk.
AI Analysis
Technical Summary
The Fluentd Monitor Agent plugin (`in_monitor_agent`) exposes internal metrics and plugin information through a REST API endpoint (`/api/plugins.json` and related). This API unintentionally includes internal instance variables of loaded plugins, which may contain sensitive data such as credentials. If an attacker can access the Monitor Agent API port (default 24220), they can retrieve this sensitive information in plain text. The vulnerability is present in Fluentd versions before 1.19.3. The risk is influenced by network exposure and the specific plugins used. The issue is addressed in Fluentd version 1.19.3.
Potential Impact
Unauthorized disclosure of sensitive information stored in plugin instance variables via the Monitor Agent API. This can lead to exposure of database passwords, API keys, or cloud credentials. The impact is high confidentiality loss but does not affect integrity or availability. The actual impact depends on network exposure of the Monitor Agent port and the sensitive data stored by plugins.
Mitigation Recommendations
A patch is available in Fluentd version 1.19.3 and should be applied to remediate this vulnerability. Until patching is possible, restrict access to the Monitor Agent port by binding it to localhost (127.0.0.1) instead of all interfaces (0.0.0.0). Additionally, use firewall rules to block access to port 24220 from untrusted networks or hosts.
GHSA-pr7j-96cj-549h: Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API
Description
Fluentd's Monitor Agent plugin exposes internal plugin instance variables via its REST API, potentially leaking sensitive information such as database passwords or API keys. This vulnerability affects versions prior to 1.19.3. An attacker with network access to the Monitor Agent port (default 24220) can retrieve this sensitive data. The severity depends on network exposure and plugin configuration. A patch is available in version 1.19.3. Until patched, restricting Monitor Agent access to localhost or blocking the port with firewall rules mitigates the risk.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Fluentd Monitor Agent plugin (`in_monitor_agent`) exposes internal metrics and plugin information through a REST API endpoint (`/api/plugins.json` and related). This API unintentionally includes internal instance variables of loaded plugins, which may contain sensitive data such as credentials. If an attacker can access the Monitor Agent API port (default 24220), they can retrieve this sensitive information in plain text. The vulnerability is present in Fluentd versions before 1.19.3. The risk is influenced by network exposure and the specific plugins used. The issue is addressed in Fluentd version 1.19.3.
Potential Impact
Unauthorized disclosure of sensitive information stored in plugin instance variables via the Monitor Agent API. This can lead to exposure of database passwords, API keys, or cloud credentials. The impact is high confidentiality loss but does not affect integrity or availability. The actual impact depends on network exposure of the Monitor Agent port and the sensitive data stored by plugins.
Mitigation Recommendations
A patch is available in Fluentd version 1.19.3 and should be applied to remediate this vulnerability. Until patching is possible, restrict access to the Monitor Agent port by binding it to localhost (127.0.0.1) instead of all interfaces (0.0.0.0). Additionally, use firewall rules to block access to port 24220 from untrusted networks or hosts.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-pr7j-96cj-549h
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-44025"]
- Ecosystems
- ["RubyGems"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef79627e9c79719ff8e84
Added to database: 06/26/2026, 22:05:10 UTC
Last enriched: 06/26/2026, 22:19:45 UTC
Last updated: 06/26/2026, 22:19:45 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.